Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558933
MD5:2d9021d2b87b22f8db44ca359f9838af
SHA1:4e3376cfa016c0091e2e396255705ac2f401db1c
SHA256:b11878f626f1edf687231b583380efdba57ee846801ff869f9910aacfcd7b995
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Entry point lies outside standard sections
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2D9021D2B87B22F8DB44CA359F9838AF)
    • chrome.exe (PID: 764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 7184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1988,i,5820746288978107784,3213896217040591065,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
    • chrome.exe (PID: 7872 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 8064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 --field-trial-handle=2020,i,16253832576636000712,15236952978649801762,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["p10tgrace.sbs", "p3ar11fter.sbs", "3xp3cts1aim.sbs", "processhol.sbs", "peepburry828.sbs"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2213320242.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: file.exe PID: 5128JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 5128JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T00:19:05.296071+010020283713Unknown Traffic192.168.2.649709188.114.97.3443TCP
            2024-11-20T00:19:06.308862+010020283713Unknown Traffic192.168.2.649711188.114.97.3443TCP
            2024-11-20T00:19:07.519767+010020283713Unknown Traffic192.168.2.649712188.114.97.3443TCP
            2024-11-20T00:19:08.794450+010020283713Unknown Traffic192.168.2.649713188.114.97.3443TCP
            2024-11-20T00:19:10.101228+010020283713Unknown Traffic192.168.2.649715188.114.97.3443TCP
            2024-11-20T00:19:11.899282+010020283713Unknown Traffic192.168.2.649726188.114.97.3443TCP
            2024-11-20T00:19:13.332258+010020283713Unknown Traffic192.168.2.649732188.114.97.3443TCP
            2024-11-20T00:19:17.099291+010020283713Unknown Traffic192.168.2.649759188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T00:19:05.750022+010020546531A Network Trojan was detected192.168.2.649709188.114.97.3443TCP
            2024-11-20T00:19:06.744571+010020546531A Network Trojan was detected192.168.2.649711188.114.97.3443TCP
            2024-11-20T00:19:17.539339+010020546531A Network Trojan was detected192.168.2.649759188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T00:19:05.750022+010020498361A Network Trojan was detected192.168.2.649709188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T00:19:06.744571+010020498121A Network Trojan was detected192.168.2.649711188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T00:19:18.256775+010020197142Potentially Bad Traffic192.168.2.649765185.215.113.1680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-20T00:19:08.130770+010020480941Malware Command and Control Activity Detected192.168.2.649712188.114.97.3443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://cook-rain.sbs/LAvira URL Cloud: Label: malware
            Source: https://cook-rain.sbs/apiEAvira URL Cloud: Label: malware
            Found malware configuration
            Source: file.exe.5128.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["p10tgrace.sbs", "p3ar11fter.sbs", "3xp3cts1aim.sbs", "processhol.sbs", "peepburry828.sbs"], "Build id": "LOGS11--LiveTraffic"}
            Multi AV Scanner detection for submitted file
            Source: file.exeReversingLabs: Detection: 36%
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: p3ar11fter.sbs
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 3xp3cts1aim.sbs
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: peepburry828.sbs
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: p10tgrace.sbs
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: processhol.sbs
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
            Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
            Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
            Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
            Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0HTTP Parser: No favicon
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49787 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49774 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49821 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49881 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49895 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50023 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:50096 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50097 version: TLS 1.2
            Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2432117061.0000000006222000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2333438848.0000000008110000.00000004.00001000.00020000.00000000.sdmp

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49759 -> 188.114.97.3:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: p10tgrace.sbs
            Source: Malware configuration extractorURLs: p3ar11fter.sbs
            Source: Malware configuration extractorURLs: 3xp3cts1aim.sbs
            Source: Malware configuration extractorURLs: processhol.sbs
            Source: Malware configuration extractorURLs: peepburry828.sbs
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 19 Nov 2024 23:19:18 GMTContent-Type: application/octet-streamContent-Length: 2784256Last-Modified: Tue, 19 Nov 2024 22:03:48 GMTConnection: keep-aliveETag: "673d0b44-2a7c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 23 7a 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 79 7a 77 6b 73 63 76 00 20 2a 00 00 a0 00 00 00 1c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 76 71 67 6c 72 6d 74 00 20 00 00 00 c0 2a 00 00 04 00 00 00 56 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 5a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: Joe Sandbox ViewIP Address: 13.107.246.45 13.107.246.45
            Source: Joe Sandbox ViewIP Address: 185.215.113.16 185.215.113.16
            Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
            Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49726 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49759 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49732 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49765 -> 185.215.113.16:80
            Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49787 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: global trafficHTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=uFnXMHOoobFnOmG&MD=HBDadzPT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficHTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
            Source: global trafficHTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
            Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=uFnXMHOoobFnOmG&MD=HBDadzPT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficHTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)
            Source: global trafficDNS traffic detected: DNS query: cook-rain.sbs
            Source: global trafficDNS traffic detected: DNS query: js.monitor.azure.com
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: mdec.nelreports.net
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
            Source: file.exe, file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
            Source: file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exel
            Source: file.exe, 00000000.00000002.2422704141.0000000000D3B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
            Source: file.exe, file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: file.exe, 00000000.00000003.2333942261.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: http://polymer.github.io/AUTHORS.txt
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: http://polymer.github.io/LICENSE.txt
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: http://polymer.github.io/PATENTS.txt
            Source: chromecache_107.7.drString found in binary or memory: http://schema.org/Organization
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://aka.ms/certhelp
            Source: chromecache_107.7.dr, chromecache_70.7.drString found in binary or memory: https://aka.ms/feedback/report?space=61
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://aka.ms/msignite_docs_banner
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://aka.ms/pshelpmechoose
            Source: chromecache_107.7.drString found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
            Source: chromecache_107.7.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
            Source: chromecache_107.7.drString found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
            Source: file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=169648449
            Source: file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://channel9.msdn.com/
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
            Source: file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: file.exe, file.exe, 00000000.00000003.2210538557.000000000583E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213389979.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213547728.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2224176722.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227774944.000000000583D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2428759644.000000000583E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2233577604.000000000583D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213320242.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/
            Source: file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334073576.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334202682.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/L
            Source: file.exe, 00000000.00000003.2233665120.0000000000EB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/api
            Source: file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cook-rain.sbs/apiE
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/Thraka
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/Youssef1313
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/adegeo
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://github.com/dotnet/try
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/gewarren
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://github.com/jonschlinkert/is-plain-object
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://github.com/js-cookie/js-cookie
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/mairaw
            Source: chromecache_107.7.drString found in binary or memory: https://github.com/nschonni
            Source: file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
            Source: chromecache_107.7.drString found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://learn-video.azurefd.net/vod/player
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://octokit.github.io/rest.js/#throttling
            Source: chromecache_99.7.drString found in binary or memory: https://schema.org
            Source: file.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: file.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
            Source: chromecache_99.7.drString found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
            Source: file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2427343536.00000000057C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: chromecache_87.7.dr, chromecache_99.7.drString found in binary or memory: https://www.linkedin.com/cws/share?url=$
            Source: file.exe, 00000000.00000003.2195884209.00000000057EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
            Source: file.exe, 00000000.00000003.2195884209.00000000057EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: file.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
            Source: file.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
            Source: file.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
            Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
            Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
            Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
            Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
            Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
            Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
            Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
            Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50102
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50104
            Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
            Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
            Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
            Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
            Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
            Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
            Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50068
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50070
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
            Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
            Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
            Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
            Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
            Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
            Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
            Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
            Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
            Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
            Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
            Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
            Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50104 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
            Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
            Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.6:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49774 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49821 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49881 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49895 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50023 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:50096 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50097 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .rsrc
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00ECBF67 appears 49 times
            Source: file.exe, 00000000.00000003.2301820778.0000000005CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302955214.0000000005BE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302805399.0000000005AC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292084515.0000000005C30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2301025423.0000000005AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2297588180.0000000005AC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294112878.0000000005B86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2300554283.0000000005BD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290613134.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2304238442.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2304385884.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2298508065.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290164770.0000000005B5B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294832412.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291077789.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2304560717.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292571987.0000000005AC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2287838085.00000000058C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2303563097.0000000005ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294691061.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2305165088.0000000005AC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294574618.0000000005ACF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291191352.0000000005B67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2303104851.0000000005AC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000002.2432145498.0000000006226000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000002.2428759644.0000000005853000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefO vs file.exe
            Source: file.exe, 00000000.00000003.2289846686.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2298099686.0000000005CA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295814678.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2301491387.0000000005ACF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2304732267.0000000005BF4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294455349.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290251733.0000000005BEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2304037624.0000000005BF4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2300352528.0000000005AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2307811840.0000000005C1A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2297767157.0000000005BB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2296177254.0000000005ACB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2289720417.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2305685796.0000000005ACF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2303409373.0000000005D09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2293830280.0000000005C4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292444702.0000000005C36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295140846.0000000005B9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2305502607.0000000005F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290428204.0000000005B55000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290949976.0000000005B6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2307516320.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295577572.0000000005AC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295058469.0000000005AC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2308674243.0000000005C12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2296957473.0000000005BBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2333853973.00000000058C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294227399.0000000005C46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302378662.0000000005BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292953627.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291553175.0000000005B7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2299192660.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295458137.0000000005C75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294349480.0000000005ACC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295250658.0000000005AC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2294952759.0000000005B98000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2303251492.0000000005BE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2334202682.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2287838085.0000000005954000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2307250672.0000000005F68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290716769.0000000005B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2301181139.0000000005BC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2293992493.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290047435.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2296690548.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2296441100.0000000005BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291432364.0000000005AC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2297201849.0000000005AC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291821153.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302650308.0000000005BED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2305013912.0000000005F6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292719285.0000000005B87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2308245746.0000000005AC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302122092.0000000005BEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2300816254.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295696867.0000000005BAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2298368778.0000000005AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2305871485.0000000005C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2301976614.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290834276.0000000005AC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2306254197.0000000005C0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2297403200.0000000005BBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2306704713.0000000005C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2293631933.0000000005B83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291311664.0000000005C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2306454627.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2305326738.0000000005BF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292328573.0000000005B7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2296055913.0000000005BBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2306059204.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2301665859.0000000005BD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302235999.0000000005ACB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2292206444.0000000005AC3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2301329543.0000000005CD3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2291946131.0000000005B7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2289625499.0000000005954000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2302527588.0000000005ACE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2287838085.0000000005909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295369178.0000000005B9E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2295939246.0000000005AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000002.2431682259.0000000005F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290338110.0000000005AC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exe, 00000000.00000003.2290522043.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: Section: ZLIB complexity 0.997447400990099
            Source: file.exeStatic PE information: Section: tklziwfw ZLIB complexity 0.994904197080292
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/65@9/7
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exe, 00000000.00000003.2168988962.00000000057F5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.00000000057D8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2182348333.00000000057FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: file.exeReversingLabs: Detection: 36%
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1988,i,5820746288978107784,3213896217040591065,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 --field-trial-handle=2020,i,16253832576636000712,15236952978649801762,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1988,i,5820746288978107784,3213896217040591065,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 --field-trial-handle=2020,i,16253832576636000712,15236952978649801762,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wkscli.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: file.exeStatic file information: File size 1923584 > 1048576
            Source: file.exeStatic PE information: Raw size of tklziwfw is bigger than: 0x100000 < 0x1ac200
            Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2432117061.0000000006222000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2333438848.0000000008110000.00000004.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tklziwfw:EW;ovdkknhj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tklziwfw:EW;ovdkknhj:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: file.exeStatic PE information: real checksum: 0x1db0b3 should be: 0x1d6104
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .rsrc
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: tklziwfw
            Source: file.exeStatic PE information: section name: ovdkknhj
            Source: file.exeStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00EB24C1 push es; iretd 0_3_00EB2534
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00EB3381 push cs; retf 0_3_00EB3394
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00EB24C1 push es; iretd 0_3_00EB2534
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00EB3381 push cs; retf 0_3_00EB3394
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00EB24C1 push es; iretd 0_3_00EB2534
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00EB3381 push cs; retf 0_3_00EB3394
            Source: file.exeStatic PE information: section name: entropy: 7.978399593089207
            Source: file.exeStatic PE information: section name: tklziwfw entropy: 7.9545840236936325

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B00D0 second address: 6B00D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B00D5 second address: 6B00E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push esi 0x0000000b jnp 00007F3BB8CF9506h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B00E8 second address: 6B00F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jc 00007F3BB941C8DCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0377 second address: 6B037C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B037C second address: 6B0382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0668 second address: 6B0678 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007F3BB8CF9506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0678 second address: 6B0680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0680 second address: 6B068C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007F3BB8CF9506h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3076 second address: 6B307A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B307A second address: 6B30CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F3BB8CF950Fh 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F3BB8CF9508h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+122D2A32h] 0x00000031 lea ebx, dword ptr [ebp+1245AE49h] 0x00000037 mov edx, dword ptr [ebp+122D180Fh] 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B30CC second address: 6B30D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3144 second address: 6B3150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3150 second address: 6B317F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F3BB941C8E7h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F3BB941C8D8h 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B317F second address: 6B31E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jg 00007F3BB8CF950Eh 0x00000013 pop eax 0x00000014 mov cl, bh 0x00000016 push 00000003h 0x00000018 jmp 00007F3BB8CF9513h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 movzx edx, cx 0x00000023 pop edi 0x00000024 push 00000003h 0x00000026 jmp 00007F3BB8CF9515h 0x0000002b push FCBAFCDFh 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 pushad 0x00000034 popad 0x00000035 pop eax 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31E1 second address: 6B31EB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BB941C8DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B31EB second address: 6B320A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 3CBAFCDFh 0x0000000d xor dword ptr [ebp+122D2DA8h], edi 0x00000013 lea ebx, dword ptr [ebp+1245AE52h] 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B320A second address: 6B3211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3344 second address: 6B334E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B334E second address: 6B3358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3BB941C8D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3358 second address: 6B335C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B343A second address: 6B3440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3440 second address: 6B3444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3444 second address: 6B3448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C5F76 second address: 6C5F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FA4D second address: 69FA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FA53 second address: 69FA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FA57 second address: 69FA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FA5B second address: 69FA61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FA61 second address: 69FA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007F3BB941C8D6h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FA6D second address: 69FAA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3BB8CF950Dh 0x00000012 jmp 00007F3BB8CF9511h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F3BB8CF9522h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3E0B second address: 6D3E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F3BB941C8D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3E1B second address: 6D3E28 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D43DB second address: 6D43DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4D72 second address: 6D4D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4D7A second address: 6D4D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4D7F second address: 6D4D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3BB8CF9506h 0x00000009 jl 00007F3BB8CF9506h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4D93 second address: 6D4D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4D97 second address: 6D4D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4EF5 second address: 6D4F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E8h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4F11 second address: 6D4F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB8CF950Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A954 second address: 69A95A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A95A second address: 69A960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5080 second address: 6D5086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5086 second address: 6D508C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D55A0 second address: 6D55A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D55A6 second address: 6D55D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BB8CF9513h 0x0000000e jmp 00007F3BB8CF950Fh 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D55D1 second address: 6D55EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D55EE second address: 6D55F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D55F4 second address: 6D55FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D58EB second address: 6D58EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D815B second address: 6D815F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D815F second address: 6D8163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D831D second address: 6D8321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D8321 second address: 6D833C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3BB8CF9513h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D833C second address: 6D835C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D835C second address: 6D8360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D842E second address: 6D844B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BB941C8DCh 0x00000008 jbe 00007F3BB941C8D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jns 00007F3BB941C8D8h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D844B second address: 6D8451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D8451 second address: 6D8472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3BB941C8E5h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D8472 second address: 6D8494 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnc 00007F3BB8CF950Eh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D85FD second address: 6D8607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F3BB941C8D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0FF0 second address: 6E0FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E1145 second address: 6E1149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4BFE second address: 6A4C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A15F8 second address: 6A160E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E2h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A160E second address: 6A1616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1616 second address: 6A161A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A161A second address: 6A161E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A161E second address: 6A1624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1624 second address: 6A162F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5031 second address: 6E5047 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3BB941C8DAh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5047 second address: 6E508C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jne 00007F3BB8CF950Ch 0x00000012 jne 00007F3BB8CF9508h 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b js 00007F3BB8CF9512h 0x00000021 js 00007F3BB8CF950Ch 0x00000027 jc 00007F3BB8CF9506h 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 jnl 00007F3BB8CF9506h 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c popad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5383 second address: 6E539A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8E3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E539A second address: 6E53AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F3BB8CF9514h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5C7E second address: 6E5CB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebx 0x0000000d jmp 00007F3BB941C8DBh 0x00000012 mov edi, dword ptr [ebp+122D2B82h] 0x00000018 nop 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5E81 second address: 6E5E87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5E87 second address: 6E5E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5E8D second address: 6E5E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E5FE0 second address: 6E5FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BB941C8DAh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E61E5 second address: 6E620E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007F3BB8CF9506h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jl 00007F3BB8CF9506h 0x00000016 jmp 00007F3BB8CF9512h 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E620E second address: 6E6218 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BB941C8DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6339 second address: 6E6382 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007F3BB8CF9511h 0x00000010 nop 0x00000011 jbe 00007F3BB8CF950Ch 0x00000017 or dword ptr [ebp+122D3717h], edi 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F3BB8CF950Dh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6382 second address: 6E6387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E68A9 second address: 6E68B9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E7145 second address: 6E7149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E7149 second address: 6E714F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E714F second address: 6E7166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8E3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E813C second address: 6E8142 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8142 second address: 6E815D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E815D second address: 6E81E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3BB8CF9519h 0x0000000c jmp 00007F3BB8CF9513h 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F3BB8CF9508h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1D73h], edx 0x00000033 push edi 0x00000034 sub dword ptr [ebp+122D1FFEh], esi 0x0000003a pop esi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007F3BB8CF9508h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c je 00007F3BB8CF950Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E81E0 second address: 6E81E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8BCA second address: 6E8BD4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA35E second address: 6EA363 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EAE7E second address: 6EAEB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9517h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3BB8CF9515h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEA9E second address: 6EEAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3BB941C8D6h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F00F9 second address: 6F00FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EF248 second address: 6EF2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F3BB941C8D8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push dword ptr fs:[00000000h] 0x00000028 jmp 00007F3BB941C8E8h 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 je 00007F3BB941C8D6h 0x0000003a mov eax, dword ptr [ebp+122D0065h] 0x00000040 cld 0x00000041 mov dword ptr [ebp+122D1880h], ebx 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007F3BB941C8D8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 mov dword ptr [ebp+122D1897h], ebx 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F3BB941C8DDh 0x00000071 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F032F second address: 6F034C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F3044 second address: 6F30C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push esi 0x00000008 call 00007F3BB941C8D8h 0x0000000d pop esi 0x0000000e mov dword ptr [esp+04h], esi 0x00000012 add dword ptr [esp+04h], 00000017h 0x0000001a inc esi 0x0000001b push esi 0x0000001c ret 0x0000001d pop esi 0x0000001e ret 0x0000001f mov bx, 2E7Dh 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F3BB941C8D8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov bl, BBh 0x00000041 mov ebx, dword ptr [ebp+122D2010h] 0x00000047 push 00000000h 0x00000049 mov dword ptr [ebp+124844BFh], edx 0x0000004f xchg eax, esi 0x00000050 push edi 0x00000051 jng 00007F3BB941C8DCh 0x00000057 js 00007F3BB941C8D6h 0x0000005d pop edi 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F3BB941C8E1h 0x00000066 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4056 second address: 6F4087 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov bl, FAh 0x00000014 push 00000000h 0x00000016 adc ebx, 3C7A1739h 0x0000001c or dword ptr [ebp+122D1B3Dh], edx 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D353Eh], esi 0x0000002a push eax 0x0000002b pushad 0x0000002c pushad 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F41F8 second address: 6F429E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F3BB941C8E5h 0x00000013 popad 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jnp 00007F3BB941C8D6h 0x0000001d popad 0x0000001e popad 0x0000001f nop 0x00000020 sub edi, dword ptr [ebp+122D2D26h] 0x00000026 push dword ptr fs:[00000000h] 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F3BB941C8D8h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 movzx ebx, di 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 jmp 00007F3BB941C8E3h 0x00000056 mov eax, dword ptr [ebp+122D0F61h] 0x0000005c push FFFFFFFFh 0x0000005e or dword ptr [ebp+122D18F4h], edi 0x00000064 movzx edi, si 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a js 00007F3BB941C8DCh 0x00000070 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6099 second address: 6F60B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnc 00007F3BB8CF950Ch 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F60B4 second address: 6F60F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 push esi 0x00000008 mov ebx, dword ptr [ebp+122D1E16h] 0x0000000e pop edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F3BB941C8D8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov bx, 5B5Ch 0x0000002f push 00000000h 0x00000031 mov ebx, dword ptr [ebp+122D1B2Bh] 0x00000037 xchg eax, esi 0x00000038 jbe 00007F3BB941C8E4h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F5392 second address: 6F5396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F816F second address: 6F818A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F3BB941C8E2h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F818A second address: 6F8190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8190 second address: 6F8208 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3BB941C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007F3BB941C8E3h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F3BB941C8D8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e or dword ptr [ebp+122D1B83h], eax 0x00000034 mov di, bx 0x00000037 or dword ptr [ebp+122D2E13h], esi 0x0000003d push 00000000h 0x0000003f and bh, 00000000h 0x00000042 xchg eax, esi 0x00000043 jbe 00007F3BB941C8E5h 0x00000049 push eax 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d jns 00007F3BB941C8D6h 0x00000053 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8208 second address: 6F820C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA2BC second address: 6FA2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA2C2 second address: 6FA2C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB75F second address: 6FB763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB7F4 second address: 6FB7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA935 second address: 6FA94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8E2h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA94B second address: 6FA94F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8352 second address: 6F8416 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BB941C8D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F3BB941C8DEh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F3BB941C8D8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D3720h], edx 0x00000032 push dword ptr fs:[00000000h] 0x00000039 sub ebx, dword ptr [ebp+122D1AA1h] 0x0000003f cld 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 push 00000000h 0x00000049 push edx 0x0000004a call 00007F3BB941C8D8h 0x0000004f pop edx 0x00000050 mov dword ptr [esp+04h], edx 0x00000054 add dword ptr [esp+04h], 0000001Dh 0x0000005c inc edx 0x0000005d push edx 0x0000005e ret 0x0000005f pop edx 0x00000060 ret 0x00000061 movsx edi, si 0x00000064 xor bh, 0000003Ah 0x00000067 mov eax, dword ptr [ebp+122D0729h] 0x0000006d jmp 00007F3BB941C8E2h 0x00000072 mov di, bx 0x00000075 push FFFFFFFFh 0x00000077 jmp 00007F3BB941C8E5h 0x0000007c nop 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 pushad 0x00000081 popad 0x00000082 jc 00007F3BB941C8D6h 0x00000088 popad 0x00000089 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F71A8 second address: 6F71AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8416 second address: 6F843F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3BB941C8DBh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC7C1 second address: 6FC823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007F3BB8CF9512h 0x00000010 pop ebx 0x00000011 nop 0x00000012 mov ebx, dword ptr [ebp+122D36D9h] 0x00000018 push 00000000h 0x0000001a jmp 00007F3BB8CF9519h 0x0000001f or dword ptr [ebp+122D1DEBh], esi 0x00000025 push 00000000h 0x00000027 pushad 0x00000028 mov ax, dx 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push esi 0x00000030 pushad 0x00000031 popad 0x00000032 pop esi 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F843F second address: 6F8445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC823 second address: 6FC82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3BB8CF9506h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC984 second address: 6FC992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC992 second address: 6FCA12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F3BB8CF9506h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D2A82h] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F3BB8CF9508h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d mov eax, dword ptr [ebp+122D0051h] 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F3BB8CF9508h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d push FFFFFFFFh 0x0000005f mov edi, 1FADC3B1h 0x00000064 nop 0x00000065 push eax 0x00000066 push edx 0x00000067 push edi 0x00000068 push eax 0x00000069 pop eax 0x0000006a pop edi 0x0000006b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FCA12 second address: 6FCA49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3BB941C8E7h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FCA49 second address: 6FCA56 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF252 second address: 6FF27C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnl 00007F3BB941C8D6h 0x00000011 jmp 00007F3BB941C8E8h 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700208 second address: 70020C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7011B6 second address: 7011D2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BB941C8E3h 0x00000008 jmp 00007F3BB941C8DDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push ecx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701264 second address: 70126A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70328C second address: 7032B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F3BB941C8D6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 je 00007F3BB941C8E4h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705B29 second address: 705B5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F3BB8CF9514h 0x0000000c pop ecx 0x0000000d push edi 0x0000000e jmp 00007F3BB8CF950Ch 0x00000013 pop edi 0x00000014 pushad 0x00000015 jnp 00007F3BB8CF9506h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B941 second address: 70B945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70BC69 second address: 70BC8C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F3BB8CF9514h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70BC8C second address: 70BC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A7EA second address: 71A7FA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BB8CF9506h 0x00000008 jp 00007F3BB8CF9506h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A7FA second address: 71A878 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3BB941C8E6h 0x0000000e jp 00007F3BB941C8D6h 0x00000014 jmp 00007F3BB941C8E7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d jmp 00007F3BB941C8E4h 0x00000022 jnc 00007F3BB941C8DEh 0x00000028 jmp 00007F3BB941C8E8h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A878 second address: 71A87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A87E second address: 71A882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB603 second address: 6AB607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB607 second address: 6AB60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB60B second address: 6AB611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719513 second address: 719519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719519 second address: 71951D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71951D second address: 719541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F3BB941C8DCh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719B2E second address: 719B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719B32 second address: 719B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3BB941C8E0h 0x0000000d popad 0x0000000e push ecx 0x0000000f jmp 00007F3BB941C8DEh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719C92 second address: 719C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719C96 second address: 719CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jno 00007F3BB941C8D6h 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719CA8 second address: 719CCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BB8CF9513h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719CCC second address: 719CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719FA4 second address: 719FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719FB5 second address: 719FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3BB941C8D6h 0x0000000a jmp 00007F3BB941C8E1h 0x0000000f jmp 00007F3BB941C8E4h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719FE9 second address: 719FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719FED second address: 719FF7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BB941C8D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719FF7 second address: 719FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719FFD second address: 71A011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8DEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A29D second address: 71A2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F3BB8CF9506h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A2AC second address: 71A2E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DFh 0x00000007 jmp 00007F3BB941C8E5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jg 00007F3BB941C8D6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A2E6 second address: 71A2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A2EC second address: 71A2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E5A4 second address: 71E5AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721CD0 second address: 721CD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721CD5 second address: 721CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72689D second address: 7268B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7268B0 second address: 7268CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3BB8CF950Dh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726A0D second address: 726A1D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726A1D second address: 726A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726A21 second address: 726A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3BB941C8E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3BB941C8E3h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726A50 second address: 726A5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F3BB8CF9506h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726D12 second address: 726D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726D1D second address: 726D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726E92 second address: 726E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726E98 second address: 726EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3BB8CF9513h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726EB0 second address: 726EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8E1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726EC7 second address: 726ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726ECB second address: 726EE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727289 second address: 72728D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72728D second address: 7272A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3BB941C8E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7272A9 second address: 7272AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727415 second address: 72741B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72741B second address: 727432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3BB8CF950Eh 0x0000000a jc 00007F3BB8CF9506h 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727432 second address: 72743D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72743D second address: 72744E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF950Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727588 second address: 7275AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8DCh 0x00000009 jnl 00007F3BB941C8D6h 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F3BB941C8D6h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7275AA second address: 7275C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7275C1 second address: 7275C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7275C7 second address: 7275CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ECDDD second address: 6ECDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED09C second address: 6ED0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED0A1 second address: 6ED0AB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BB941C8DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED16B second address: 6ED16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED16F second address: 6ED176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED176 second address: 6ED183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED255 second address: 6ED259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED323 second address: 6ED327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED36A second address: 6ED3C7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3BB941C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jo 00007F3BB941C8E7h 0x00000012 jmp 00007F3BB941C8E1h 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 mov cl, 36h 0x0000001b movzx ecx, cx 0x0000001e popad 0x0000001f nop 0x00000020 jl 00007F3BB941C8E4h 0x00000026 push eax 0x00000027 je 00007F3BB941C8F1h 0x0000002d pushad 0x0000002e jmp 00007F3BB941C8E3h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDA6F second address: 6EDA73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDA73 second address: 6EDAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F3BB941C8D8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 stc 0x00000023 push 0000001Eh 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F3BB941C8D8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jp 00007F3BB941C8D6h 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDAC8 second address: 6EDACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDE6A second address: 6EDE6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDE6F second address: 6EDEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF950Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub edx, dword ptr [ebp+122D2B32h] 0x00000015 lea eax, dword ptr [ebp+124949AAh] 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F3BB8CF9508h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov cx, di 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F3BB8CF950Ch 0x00000040 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDEC4 second address: 6CA4CA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BB941C8D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F3BB941C8D8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jmp 00007F3BB941C8DBh 0x0000002e lea eax, dword ptr [ebp+12494966h] 0x00000034 call 00007F3BB941C8E2h 0x00000039 call 00007F3BB941C8E1h 0x0000003e pop edi 0x0000003f pop edi 0x00000040 push eax 0x00000041 pushad 0x00000042 jmp 00007F3BB941C8DFh 0x00000047 jmp 00007F3BB941C8E9h 0x0000004c popad 0x0000004d mov dword ptr [esp], eax 0x00000050 jmp 00007F3BB941C8E0h 0x00000055 mov dword ptr [ebp+122D235Fh], esi 0x0000005b call dword ptr [ebp+122D1CC6h] 0x00000061 push eax 0x00000062 push edx 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 pop edx 0x00000067 jng 00007F3BB941C8E7h 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CA4CA second address: 6CA4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF950Bh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CA4D9 second address: 6CA4DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A30D1 second address: 6A30E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Bh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A30E1 second address: 6A30E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BC01 second address: 72BC1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BB8CF950Fh 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BC1E second address: 72BC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BC23 second address: 72BC45 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BB8CF951Dh 0x00000008 jmp 00007F3BB8CF950Dh 0x0000000d jmp 00007F3BB8CF950Ah 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BC45 second address: 72BC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BF12 second address: 72BF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF9519h 0x00000009 pop edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72BF30 second address: 72BF37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B8 second address: 72C0BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C21B second address: 72C221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C4C6 second address: 72C4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C4CA second address: 72C4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C4D3 second address: 72C4FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF950Ah 0x00000009 jmp 00007F3BB8CF950Ch 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jo 00007F3BB8CF9506h 0x00000019 push edi 0x0000001a pop edi 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C4FD second address: 72C520 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3BB941C8EDh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C520 second address: 72C526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7337EF second address: 7337F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7337F4 second address: 733805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3BB8CF9506h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733805 second address: 733829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E6h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A807D second address: 6A8083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73228B second address: 732295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3BB941C8D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732295 second address: 73229B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732534 second address: 732538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732692 second address: 732696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732696 second address: 7326AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3BB941C8DAh 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732961 second address: 732971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F3BB8CF9522h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732971 second address: 73298B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E6h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73298B second address: 732990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732AD3 second address: 732ADF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732ADF second address: 732AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732C50 second address: 732C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 732C54 second address: 732C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73309E second address: 7330B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7330B3 second address: 7330EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F3BB8CF950Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3BB8CF9515h 0x00000014 jmp 00007F3BB8CF9512h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733232 second address: 733236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73368E second address: 733695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733695 second address: 73369F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BB941C8E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737501 second address: 737508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737508 second address: 737511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737511 second address: 737519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737519 second address: 73751F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73AF93 second address: 73AF97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73AF97 second address: 73AFA6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 je 00007F3BB941C8D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73AA8E second address: 73AABA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3BB8CF9518h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F3BB8CF9506h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73AC17 second address: 73AC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E0h 0x00000009 popad 0x0000000a push ebx 0x0000000b jng 00007F3BB941C8D6h 0x00000011 js 00007F3BB941C8D6h 0x00000017 pop ebx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73AC3A second address: 73AC59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9515h 0x00000007 jl 00007F3BB8CF950Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740A13 second address: 740A50 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BB941C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F3BB941C8FFh 0x00000010 jmp 00007F3BB941C8E2h 0x00000015 jmp 00007F3BB941C8E7h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740A50 second address: 740A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740A54 second address: 740A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F3BB941C8DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740A6D second address: 740A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740A71 second address: 740A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E2h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740F04 second address: 740F08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740F08 second address: 740F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED8FB second address: 6ED939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F3BB8CF9508h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 and edx, dword ptr [ebp+122D1E44h] 0x0000002a push 00000004h 0x0000002c sbb edx, 3CD81C61h 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push edi 0x00000037 pop edi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED939 second address: 6ED93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED93E second address: 6ED948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3BB8CF9506h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741F28 second address: 741F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BB941C8E8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741F4C second address: 741F5A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741F5A second address: 741F6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3BB941C8DEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6972E8 second address: 6972F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6972F5 second address: 697310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F3BB941C8D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e jno 00007F3BB941C8D6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697310 second address: 697314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7456DB second address: 7456E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7456E1 second address: 7456E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7456E5 second address: 7456F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3BB941C8D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7456F1 second address: 7456F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7456F7 second address: 7456FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7456FD second address: 745701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A02 second address: 745A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB941C8E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A19 second address: 745A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745CAD second address: 745CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745F8B second address: 745F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF950Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A375 second address: 74A37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752869 second address: 75286F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7529E1 second address: 7529F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7529F9 second address: 752A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B52 second address: 752B57 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B57 second address: 752B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B5D second address: 752B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jo 00007F3BB941C8D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752B6B second address: 752B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754522 second address: 754528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754528 second address: 754533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3BB8CF9506h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754533 second address: 75454C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB941C8E4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75984E second address: 759858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3BB8CF9506h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759858 second address: 75985C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75CF11 second address: 75CF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75CF18 second address: 75CF5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB941C8E9h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F3BB941C8E3h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3BB941C8DDh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75CF5B second address: 75CF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D1F9 second address: 75D21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E5h 0x00000009 jmp 00007F3BB941C8DBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765A80 second address: 765A8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765A8C second address: 765A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765A92 second address: 765A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765A9C second address: 765AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765C1C second address: 765C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765C25 second address: 765C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765C29 second address: 765C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765DA7 second address: 765DC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB941C8E9h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 765F23 second address: 765F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76664F second address: 766669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766669 second address: 76667B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76667B second address: 766693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766693 second address: 766697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766697 second address: 76669F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76669F second address: 7666A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7666A5 second address: 7666AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7666AB second address: 7666AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7666AF second address: 7666B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7666B3 second address: 7666CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3BB8CF9506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007F3BB8CF9506h 0x00000013 jc 00007F3BB8CF9506h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764C33 second address: 764C3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764C3C second address: 764C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76DDBA second address: 76DDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A7D9 second address: 77A802 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3BB8CF950Ch 0x00000008 pushad 0x00000009 jmp 00007F3BB8CF9518h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786BD4 second address: 786BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786BD8 second address: 786BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786BDC second address: 786BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CE27 second address: 78CE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E60B second address: 78E61B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BB941C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E61B second address: 78E61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E61F second address: 78E62C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3BB941C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7922DC second address: 7922F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF9512h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792185 second address: 7921A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AC59 second address: 79AC7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Bh 0x00000007 jo 00007F3BB8CF9506h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jnl 00007F3BB8CF9506h 0x00000016 ja 00007F3BB8CF9506h 0x0000001c pop esi 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AC7C second address: 79AC87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3BB941C8D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AC87 second address: 79AC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7997E2 second address: 7997EC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BB941C8DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7997EC second address: 799806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF950Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799806 second address: 799811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3BB941C8D6h 0x0000000a pop ebx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799C60 second address: 799C6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799DD2 second address: 799DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799F4C second address: 799F56 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BB8CF9506h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799F56 second address: 799F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A91F second address: 79A923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EAD7 second address: 79EAEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EAEC second address: 79EB0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9513h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007F3BB8CF9506h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EB0E second address: 79EB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 ja 00007F3BB941C8E4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EB1F second address: 79EB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE718 second address: 7AE71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE71F second address: 7AE725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0047 second address: 7B004D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC041 second address: 7BC04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC04A second address: 7BC063 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F3BB941C8DEh 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBE7C second address: 7BBE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3BB8CF9506h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBE86 second address: 7BBE96 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3BB941C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBE96 second address: 7BBE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBE9A second address: 7BBEA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBEA2 second address: 7BBEA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBEA9 second address: 7BBEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jl 00007F3BB941C8D6h 0x00000012 jmp 00007F3BB941C8DAh 0x00000017 pop esi 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBEC6 second address: 7BBEDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE1B4 second address: 7BE1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F3BB941C8E5h 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jng 00007F3BB941C8D6h 0x00000015 jmp 00007F3BB941C8E9h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDECF second address: 7BDEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F3BB8CF9516h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDEF0 second address: 7BDF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F3BB941C8DAh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BDF02 second address: 7BDF07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3FB9 second address: 7D3FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F3BB941C8DAh 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3FD3 second address: 7D3FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3FD9 second address: 7D3FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB941C8E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3FF2 second address: 7D3FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3FFB second address: 7D3FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3FFF second address: 7D400A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D400A second address: 7D4010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D443E second address: 7D4453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jng 00007F3BB8CF9526h 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F3BB8CF9506h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D48EA second address: 7D48F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D48F7 second address: 7D48FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D48FF second address: 7D4905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4905 second address: 7D4915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007F3BB8CF9506h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4915 second address: 7D491A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D491A second address: 7D492C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D492C second address: 7D4930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4A85 second address: 7D4A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C1E second address: 7D4C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C22 second address: 7D4C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C28 second address: 7D4C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3BB941C8E5h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7AF0 second address: 7D7B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3BB8CF9506h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 and dl, FFFFFFCBh 0x00000013 mov dword ptr [ebp+122D353Eh], edi 0x00000019 popad 0x0000001a push 00000004h 0x0000001c mov edx, esi 0x0000001e call 00007F3BB8CF9509h 0x00000023 push esi 0x00000024 jmp 00007F3BB8CF9517h 0x00000029 pop esi 0x0000002a push eax 0x0000002b pushad 0x0000002c pushad 0x0000002d jg 00007F3BB8CF9506h 0x00000033 jmp 00007F3BB8CF9513h 0x00000038 popad 0x00000039 push edx 0x0000003a jmp 00007F3BB8CF9514h 0x0000003f pop edx 0x00000040 popad 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F3BB8CF9511h 0x0000004d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7E60 second address: 7D7EC7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3BB941C8DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F3BB941C8D8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 jns 00007F3BB941C8D9h 0x0000002d mov dx, 3593h 0x00000031 push dword ptr [ebp+122D37C8h] 0x00000037 jmp 00007F3BB941C8E1h 0x0000003c push 64B046A4h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F3BB941C8DAh 0x00000048 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D91F3 second address: 7D920E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F3BB8CF9515h 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB0AF second address: 7DB0B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BB941C8D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DABF2 second address: 7DABFF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3BB8CF9506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DABFF second address: 7DAC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAC04 second address: 7DAC0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E303C2 second address: 4E303D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8DFh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E303D5 second address: 4E3040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F3BB8CF9513h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3040E second address: 4E30461 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3BB941C8E5h 0x00000009 adc ax, 1C86h 0x0000000e jmp 00007F3BB941C8E1h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3BB941C8E9h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E30461 second address: 4E30465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E30465 second address: 4E3046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3046B second address: 4E304DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB8CF950Ah 0x00000008 mov eax, 3BAF5F21h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov si, 7DFFh 0x00000017 jmp 00007F3BB8CF9514h 0x0000001c popad 0x0000001d pushfd 0x0000001e jmp 00007F3BB8CF9512h 0x00000023 xor eax, 39E18F18h 0x00000029 jmp 00007F3BB8CF950Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F3BB8CF9515h 0x00000039 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E304DB second address: 4E304EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8DCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E304EB second address: 4E30502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3BB8CF950Ah 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E606C4 second address: 4E606F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 40h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b jmp 00007F3BB941C8E4h 0x00000010 push eax 0x00000011 jmp 00007F3BB941C8DBh 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E606F4 second address: 4E6075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F3BB8CF9510h 0x00000009 pop eax 0x0000000a popad 0x0000000b mov edx, 03B75BD6h 0x00000010 popad 0x00000011 push esp 0x00000012 pushad 0x00000013 jmp 00007F3BB8CF9518h 0x00000018 pushfd 0x00000019 jmp 00007F3BB8CF9512h 0x0000001e and ecx, 33DB0128h 0x00000024 jmp 00007F3BB8CF950Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr [esp], esi 0x0000002e pushad 0x0000002f mov dx, cx 0x00000032 push eax 0x00000033 push edx 0x00000034 mov edx, esi 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60869 second address: 4E60878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60878 second address: 4E6087E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60897 second address: 4E6089D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6089D second address: 4E6090A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, esi 0x0000000a jmp 00007F3BB8CF9519h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F3BB8CF9513h 0x00000019 xor esi, 2179902Eh 0x0000001f jmp 00007F3BB8CF9519h 0x00000024 popfd 0x00000025 call 00007F3BB8CF9510h 0x0000002a pop ecx 0x0000002b popad 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600DD second address: 4E600E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600E1 second address: 4E600FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9516h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600FB second address: 4E60134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F3BB941C8DBh 0x00000012 pop esi 0x00000013 jmp 00007F3BB941C8E9h 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60134 second address: 4E6015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 7862h 0x00000007 call 00007F3BB8CF9513h 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push 1B988212h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6015D second address: 4E6016E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6016E second address: 4E60244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9511h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 5AFCA95Eh 0x00000010 pushad 0x00000011 mov esi, 1E00A5B3h 0x00000016 call 00007F3BB8CF9518h 0x0000001b pop eax 0x0000001c popad 0x0000001d mov eax, dword ptr fs:[00000000h] 0x00000023 jmp 00007F3BB8CF950Dh 0x00000028 nop 0x00000029 pushad 0x0000002a push esi 0x0000002b jmp 00007F3BB8CF9513h 0x00000030 pop eax 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F3BB8CF950Bh 0x0000003a xor ah, FFFFFFDEh 0x0000003d jmp 00007F3BB8CF9519h 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007F3BB8CF9510h 0x00000049 xor eax, 1BF36ED8h 0x0000004f jmp 00007F3BB8CF950Bh 0x00000054 popfd 0x00000055 popad 0x00000056 nop 0x00000057 jmp 00007F3BB8CF9516h 0x0000005c sub esp, 18h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60244 second address: 4E6024A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6024A second address: 4E60250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60250 second address: 4E60254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60254 second address: 4E60299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov dh, cl 0x0000000f mov ebx, 2BE363AEh 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 call 00007F3BB8CF9512h 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f mov dx, E1A4h 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push ecx 0x00000029 pop edx 0x0000002a mov cx, 9D27h 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60299 second address: 4E602CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e mov esi, edx 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F3BB941C8E0h 0x00000018 push ecx 0x00000019 pop ebx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d mov cl, dl 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E602CB second address: 4E60352 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 24B43885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c push esi 0x0000000d call 00007F3BB8CF950Dh 0x00000012 pop ecx 0x00000013 pop edi 0x00000014 pushfd 0x00000015 jmp 00007F3BB8CF950Eh 0x0000001a and ah, 00000048h 0x0000001d jmp 00007F3BB8CF950Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, edi 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F3BB8CF9514h 0x0000002c add ah, FFFFFFA8h 0x0000002f jmp 00007F3BB8CF950Bh 0x00000034 popfd 0x00000035 mov esi, 3BA4919Fh 0x0000003a popad 0x0000003b push eax 0x0000003c jmp 00007F3BB8CF9515h 0x00000041 xchg eax, edi 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 push edi 0x00000046 pop ecx 0x00000047 movsx edx, si 0x0000004a popad 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60352 second address: 4E603A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB941C8E7h 0x00000008 push esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [769B4538h] 0x00000012 pushad 0x00000013 mov ebx, esi 0x00000015 movzx eax, dx 0x00000018 popad 0x00000019 xor dword ptr [ebp-08h], eax 0x0000001c jmp 00007F3BB941C8DFh 0x00000021 xor eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F3BB941C8E2h 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603A5 second address: 4E603AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603AB second address: 4E603BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, ED96h 0x00000010 mov dl, 4Dh 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603BE second address: 4E603F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e movsx edi, si 0x00000011 pop esi 0x00000012 mov cx, di 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-10h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603F1 second address: 4E603F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603F5 second address: 4E603FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603FB second address: 4E6049E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3BB941C8DCh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr fs:[00000000h], eax 0x00000012 pushad 0x00000013 mov ecx, ebx 0x00000015 pushfd 0x00000016 jmp 00007F3BB941C8E3h 0x0000001b add eax, 774C118Eh 0x00000021 jmp 00007F3BB941C8E9h 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [ebp-18h], esp 0x0000002b jmp 00007F3BB941C8DEh 0x00000030 mov eax, dword ptr fs:[00000018h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F3BB941C8DDh 0x0000003f adc esi, 032BD476h 0x00000045 jmp 00007F3BB941C8E1h 0x0000004a popfd 0x0000004b call 00007F3BB941C8E0h 0x00000050 pop eax 0x00000051 popad 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6049E second address: 4E604A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604A4 second address: 4E604CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e pushad 0x0000000f jmp 00007F3BB941C8E4h 0x00000014 push eax 0x00000015 push edx 0x00000016 mov bh, ah 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604CB second address: 4E60510 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3BB8CF950Dh 0x00000008 or cl, FFFFFFE6h 0x0000000b jmp 00007F3BB8CF9511h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 test ecx, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F3BB8CF9513h 0x0000001e mov cx, 21FFh 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60510 second address: 4E6056C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F3BB941C947h 0x0000000f pushad 0x00000010 mov al, CAh 0x00000012 pushfd 0x00000013 jmp 00007F3BB941C8E9h 0x00000018 sbb esi, 607C5606h 0x0000001e jmp 00007F3BB941C8E1h 0x00000023 popfd 0x00000024 popad 0x00000025 add eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6056C second address: 4E6058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BB8CF9519h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6058A second address: 4E60590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60590 second address: 4E60594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60594 second address: 4E60598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60598 second address: 4E605AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, F087h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50099 second address: 4E5009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5009F second address: 4E500F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F3BB8CF9514h 0x00000012 pushfd 0x00000013 jmp 00007F3BB8CF9512h 0x00000018 add si, F7D8h 0x0000001d jmp 00007F3BB8CF950Bh 0x00000022 popfd 0x00000023 pop ecx 0x00000024 mov esi, edx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E500F6 second address: 4E500FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E500FA second address: 4E50100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50100 second address: 4E50106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50106 second address: 4E5010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5010A second address: 4E5012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3BB941C8E8h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50223 second address: 4E50265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 sub ebx, ebx 0x00000008 pushad 0x00000009 jmp 00007F3BB8CF9517h 0x0000000e movzx ecx, bx 0x00000011 popad 0x00000012 mov edi, 00000000h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3BB8CF9517h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50265 second address: 4E5026A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5026A second address: 4E50270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50270 second address: 4E50280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 inc ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d mov cl, C2h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50280 second address: 4E502A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9510h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3BB8CF950Ah 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E502A4 second address: 4E502AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5033E second address: 4E50344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5041E second address: 4E50461 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3BB941C8E7h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [ebp-14h], edi 0x0000000f pushad 0x00000010 mov eax, 590AC1C7h 0x00000015 jmp 00007F3BB941C8DCh 0x0000001a popad 0x0000001b jne 00007F3C2AF2A91Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 movsx edi, cx 0x00000027 push ecx 0x00000028 pop ebx 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50461 second address: 4E50467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50467 second address: 4E5046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5046B second address: 4E5047F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, esi 0x00000010 mov bx, si 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5047F second address: 4E504BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov eax, 0F93A3A1h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lea eax, dword ptr [ebp-2Ch] 0x00000011 jmp 00007F3BB941C8DCh 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 mov cx, B34Dh 0x0000001c mov edi, eax 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F3BB941C8E2h 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E504BA second address: 4E504CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB8CF950Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E504CC second address: 4E504DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop ebx 0x0000000e movzx esi, bx 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E504DE second address: 4E504EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB8CF950Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E504EF second address: 4E504FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E504FE second address: 4E50504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50504 second address: 4E50525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F3BB941C8E0h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50525 second address: 4E5052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5052A second address: 4E50530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50530 second address: 4E50534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50534 second address: 4E50538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5057B second address: 4E5057F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5057F second address: 4E50583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50583 second address: 4E50589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50589 second address: 4E5059F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5059F second address: 4E505BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E505BC second address: 4E40770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BB941C8E7h 0x00000008 mov cx, FC6Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3BB941C8E0h 0x00000018 or cx, 8898h 0x0000001d jmp 00007F3BB941C8DBh 0x00000022 popfd 0x00000023 popad 0x00000024 je 00007F3C2AF2A928h 0x0000002a xor eax, eax 0x0000002c jmp 00007F3BB93F600Ah 0x00000031 pop esi 0x00000032 pop edi 0x00000033 pop ebx 0x00000034 leave 0x00000035 retn 0004h 0x00000038 nop 0x00000039 cmp eax, 00000000h 0x0000003c setne cl 0x0000003f xor ebx, ebx 0x00000041 test cl, 00000001h 0x00000044 jne 00007F3BB941C8D7h 0x00000046 jmp 00007F3BB941C9FAh 0x0000004b call 00007F3BBDD591B9h 0x00000050 mov edi, edi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F3BB941C8E7h 0x00000059 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E40770 second address: 4E4077A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 72A4045Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4077A second address: 4E4079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push esi 0x0000000a movsx edi, cx 0x0000000d pop esi 0x0000000e jmp 00007F3BB941C8DBh 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dx, 9586h 0x0000001e popad 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4079F second address: 4E40801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007F3BB8CF950Dh 0x00000011 pushfd 0x00000012 jmp 00007F3BB8CF9510h 0x00000017 sbb al, 00000058h 0x0000001a jmp 00007F3BB8CF950Bh 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 jmp 00007F3BB8CF9516h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F3BB8CF950Eh 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E40801 second address: 4E40813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8DEh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E40813 second address: 4E4082A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4082A second address: 4E40831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E408BC second address: 4E408C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E408C2 second address: 4E50B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a jmp 00007F3BB941C8D2h 0x0000000c and bl, 00000001h 0x0000000f movzx eax, bl 0x00000012 lea esp, dword ptr [ebp-0Ch] 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 pop ebp 0x00000019 ret 0x0000001a add esp, 04h 0x0000001d mov eax, dword ptr [005160A4h+ebx*4] 0x00000024 mov ecx, 04B3412Ah 0x00000029 xor ecx, dword ptr [005160ACh] 0x0000002f add eax, ecx 0x00000031 inc eax 0x00000032 jmp eax 0x00000034 push esi 0x00000035 call 00007F3BB9442AA8h 0x0000003a push ebp 0x0000003b push ebx 0x0000003c push edi 0x0000003d push esi 0x0000003e sub esp, 00000284h 0x00000044 mov esi, dword ptr [esp+00000298h] 0x0000004b mov dword ptr [esp+00000268h], 00518100h 0x00000056 mov dword ptr [esp+00000264h], 0000009Dh 0x00000061 mov dword ptr [esp], 00000000h 0x00000068 mov eax, dword ptr [00513D58h] 0x0000006d call eax 0x0000006f mov edi, edi 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F3BB941C8E5h 0x00000078 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50B16 second address: 4E50B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB8CF950Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50B26 second address: 4E50B57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F3BB941C8DCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3BB941C8E7h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50B57 second address: 4E50C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3BB8CF950Fh 0x00000009 and ch, 0000007Eh 0x0000000c jmp 00007F3BB8CF9519h 0x00000011 popfd 0x00000012 call 00007F3BB8CF9510h 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push ebx 0x0000001f pushfd 0x00000020 jmp 00007F3BB8CF950Ah 0x00000025 add ch, FFFFFFA8h 0x00000028 jmp 00007F3BB8CF950Bh 0x0000002d popfd 0x0000002e pop esi 0x0000002f pushfd 0x00000030 jmp 00007F3BB8CF9519h 0x00000035 sbb ecx, 4E4A2BC6h 0x0000003b jmp 00007F3BB8CF9511h 0x00000040 popfd 0x00000041 popad 0x00000042 cmp dword ptr [769B459Ch], 05h 0x00000049 jmp 00007F3BB8CF950Eh 0x0000004e je 00007F3C2A7F7303h 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 mov ecx, edx 0x00000059 jmp 00007F3BB8CF9519h 0x0000005e popad 0x0000005f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50C27 second address: 4E50C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50C2D second address: 4E50C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50CB8 second address: 4E50CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50CBC second address: 4E50CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50CC2 second address: 4E50CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50CC8 second address: 4E50CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50CCC second address: 4E50D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 33E54C91h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3BB941C8E7h 0x00000018 add cl, FFFFFF8Eh 0x0000001b jmp 00007F3BB941C8E9h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F3BB941C8E0h 0x00000027 xor si, 4508h 0x0000002c jmp 00007F3BB941C8DBh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50D36 second address: 4E50D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50D3C second address: 4E50D81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F3C2AF216FBh 0x00000010 push 76952B70h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov eax, dword ptr [esp+10h] 0x00000020 mov dword ptr [esp+10h], ebp 0x00000024 lea ebp, dword ptr [esp+10h] 0x00000028 sub esp, eax 0x0000002a push ebx 0x0000002b push esi 0x0000002c push edi 0x0000002d mov eax, dword ptr [769B4538h] 0x00000032 xor dword ptr [ebp-04h], eax 0x00000035 xor eax, ebp 0x00000037 push eax 0x00000038 mov dword ptr [ebp-18h], esp 0x0000003b push dword ptr [ebp-08h] 0x0000003e mov eax, dword ptr [ebp-04h] 0x00000041 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000048 mov dword ptr [ebp-08h], eax 0x0000004b lea eax, dword ptr [ebp-10h] 0x0000004e mov dword ptr fs:[00000000h], eax 0x00000054 ret 0x00000055 jmp 00007F3BB941C8E6h 0x0000005a sub esi, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F3BB941C8E3h 0x00000065 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50D81 second address: 4E50D87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50D87 second address: 4E50D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8DBh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50D96 second address: 4E50D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50D9A second address: 4E50DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-1Ch], esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov ebx, 5251F2D4h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50E24 second address: 4E50EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9511h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3C2A7ED052h 0x0000000f jmp 00007F3BB8CF950Eh 0x00000014 cmp dword ptr [ebp+08h], 00002000h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3BB8CF950Dh 0x00000024 and esi, 2D4FE716h 0x0000002a jmp 00007F3BB8CF9511h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F3BB8CF9510h 0x00000036 sbb cx, 1338h 0x0000003b jmp 00007F3BB8CF950Bh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6095D second address: 4E60963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60963 second address: 4E60967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60967 second address: 4E6097C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3BB941C8DAh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6097C second address: 4E609C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, C574h 0x00000007 call 00007F3BB8CF950Dh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F3BB8CF9518h 0x0000001a jmp 00007F3BB8CF9512h 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E609C4 second address: 4E60A1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F3BB941C8E6h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F3BB941C8E1h 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 mov si, di 0x0000001c mov bl, DCh 0x0000001e popad 0x0000001f mov esi, dword ptr [ebp+0Ch] 0x00000022 jmp 00007F3BB941C8DEh 0x00000027 test esi, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60A1F second address: 4E60A25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60A25 second address: 4E60A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3C2AF0A250h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3BB941C8E7h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60A5C second address: 4E60AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F3BB8CF950Bh 0x0000000b jmp 00007F3BB8CF9513h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 cmp dword ptr [769B459Ch], 05h 0x0000001b pushad 0x0000001c push eax 0x0000001d mov cl, dl 0x0000001f pop esi 0x00000020 mov esi, edx 0x00000022 popad 0x00000023 je 00007F3C2A7FEF0Ah 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov di, cx 0x0000002f call 00007F3BB8CF950Ch 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60AAD second address: 4E60AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8E7h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60AC8 second address: 4E60AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3BB8CF9511h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60AE4 second address: 4E60AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB941C8DCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60AF4 second address: 4E60B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60B56 second address: 4E60B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60BDA second address: 4E60BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BB8CF950Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60BEC second address: 4E60C15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB941C8DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3BB941C8E5h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622E30A second address: 622E324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BB8CF9516h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622E324 second address: 622E32A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622E32A second address: 622DB02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnp 00007F3BB8CF9524h 0x0000000f pushad 0x00000010 mov edx, dword ptr [ebp+122D2BACh] 0x00000016 jng 00007F3BB8CF950Ch 0x0000001c popad 0x0000001d push dword ptr [ebp+122D0CA1h] 0x00000023 jnp 00007F3BB8CF9517h 0x00000029 call dword ptr [ebp+122D28D5h] 0x0000002f pushad 0x00000030 mov dword ptr [ebp+122D220Ch], ecx 0x00000036 xor eax, eax 0x00000038 jnp 00007F3BB8CF951Eh 0x0000003e jmp 00007F3BB8CF9518h 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 pushad 0x00000048 jbe 00007F3BB8CF951Fh 0x0000004e mov ax, 1691h 0x00000052 popad 0x00000053 mov dword ptr [ebp+122D2D84h], eax 0x00000059 jmp 00007F3BB8CF950Eh 0x0000005e mov esi, 0000003Ch 0x00000063 jmp 00007F3BB8CF9518h 0x00000068 stc 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d add dword ptr [ebp+122D220Ch], eax 0x00000073 lodsw 0x00000075 add dword ptr [ebp+122D2129h], eax 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f stc 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 pushad 0x00000085 adc esi, 171E8291h 0x0000008b popad 0x0000008c nop 0x0000008d pushad 0x0000008e push eax 0x0000008f push edx 0x00000090 pushad 0x00000091 popad 0x00000092 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52B976 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52B8E0 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6D8212 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 774431 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 622DB71 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 63D0749 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 63FA7CE instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 63D7676 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 2536Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: file.exe, 00000000.00000002.2432174692.00000000063AF000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420960885.00000000006B8000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2431682259.00000000060F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: file.exe, 00000000.00000002.2422824185.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: file.exe, 00000000.00000003.2182584658.0000000005827000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: file.exe, 00000000.00000002.2422824185.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: file.exe, 00000000.00000002.2432174692.00000000063AF000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2420960885.00000000006B8000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2431682259.00000000060F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: file.exe, 00000000.00000003.2182584658.0000000005821000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: file.exe, 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: p3ar11fter.sbs
            Source: file.exe, 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 3xp3cts1aim.sbs
            Source: file.exe, 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: peepburry828.sbs
            Source: file.exe, 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: p10tgrace.sbs
            Source: file.exe, 00000000.00000002.2420678937.00000000004D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: processhol.sbs
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0Jump to behavior
            Source: file.exe, 00000000.00000002.2420960885.00000000006B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~Program Manager
            Source: file.exe, 00000000.00000002.2432174692.00000000063AF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: JProgram Manager
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: file.exe, 00000000.00000003.2233665120.0000000000EB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: es%\Windows Defender\MsMpeng.exe
            Source: file.exe, 00000000.00000003.2228123059.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
            Source: Yara matchFile source: 00000000.00000003.2213320242.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		12
            Process Injection            		34
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		1
            Query Registry            		Remote Services31
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		12
            Process Injection            		LSASS Memory751
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media11
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager34
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials223
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe37%ReversingLabs
            file.exe100%AviraTR/Crypt.ZPACK.Gen
            file.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484490%Avira URL Cloudsafe
            https://cook-rain.sbs/L100%Avira URL Cloudmalware
            https://cook-rain.sbs/apiE100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cook-rain.sbs
            		188.114.97.3
            		truefalse
              		high
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high
                www.google.com
                		172.217.16.132
                		truefalse
                  		high
                  s-part-0032.t-0009.t-msedge.net
                  		13.107.246.60
                  		truefalse
                    		high
                    js.monitor.azure.com
                    		unknown
                    		unknownfalse
                      		high
                      mdec.nelreports.net
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        peepburry828.sbsfalse
                          		high
                          p10tgrace.sbsfalse
                            		high
                            processhol.sbsfalse
                              		high
                              https://cook-rain.sbs/apifalse
                                		high
                                https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.jsfalse
                                  		high
                                  p3ar11fter.sbsfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cfchromecache_107.7.drfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://cook-rain.sbs/Lfile.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334073576.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334202682.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/chromecache_107.7.drfalse
                                            		high
                                            https://www.linkedin.com/cws/share?url=$chromecache_87.7.dr, chromecache_99.7.drfalse
                                              		high
                                              https://cook-rain.sbs/apiEfile.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2427343536.00000000057C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Youssef1313chromecache_107.7.drfalse
                                                    		high
                                                    https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0chromecache_87.7.dr, chromecache_99.7.drfalse
                                                      		high
                                                      https://aka.ms/msignite_docs_bannerchromecache_87.7.dr, chromecache_99.7.drfalse
                                                        		high
                                                        https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9chromecache_99.7.drfalse
                                                          		high
                                                          http://polymer.github.io/AUTHORS.txtchromecache_87.7.dr, chromecache_99.7.drfalse
                                                            		high
                                                            https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.ymlchromecache_107.7.drfalse
                                                              		high
                                                              https://management.azure.com/subscriptions?api-version=2016-06-01chromecache_87.7.dr, chromecache_99.7.drfalse
                                                                		high
                                                                https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.mdchromecache_107.7.drfalse
                                                                  		high
                                                                  http://x1.c.lencr.org/0file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://x1.i.lencr.org/0file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/pshelpmechoosechromecache_87.7.dr, chromecache_99.7.drfalse
                                                                        		high
                                                                        https://aka.ms/feedback/report?space=61chromecache_107.7.dr, chromecache_70.7.drfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://learn-video.azurefd.net/vod/playerchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                              		high
                                                                              http://185.215.113.16/off/def.exelfile.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://twitter.com/intent/tweet?original_referer=$chromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                  		high
                                                                                  https://github.com/gewarrenchromecache_107.7.drfalse
                                                                                    		high
                                                                                    http://185.215.113.16/off/def.exepleWebKit/537.36file.exe, 00000000.00000002.2422704141.0000000000D3B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://polymer.github.io/CONTRIBUTORS.txtchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                          		high
                                                                                          https://www.mozilla.orfile.exe, 00000000.00000003.2195884209.00000000057EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.mdchromecache_107.7.drfalse
                                                                                              		high
                                                                                              https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725chromecache_107.7.drfalse
                                                                                                		high
                                                                                                https://client-api.arkoselabs.com/v2/api.jschromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                  		high
                                                                                                  https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnlchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                    		high
                                                                                                    https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prevchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://github.com/Thrakachromecache_107.7.drfalse
                                                                                                          		high
                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://polymer.github.io/PATENTS.txtchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                              		high
                                                                                                              https://aka.ms/certhelpchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                		high
                                                                                                                http://185.215.113.16/steam/random.exefile.exe, file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cook-rain.sbs/file.exe, file.exe, 00000000.00000003.2210538557.000000000583E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213389979.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213547728.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2224176722.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2227774944.000000000583D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2428759644.000000000583E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2233577604.000000000583D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213320242.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://github.com/mairawchromecache_107.7.drfalse
                                                                                                                          		high
                                                                                                                          http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://schema.orgchromecache_99.7.drfalse
                                                                                                                              		high
                                                                                                                              http://polymer.github.io/LICENSE.txtchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                		high
                                                                                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=169648449file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2196065081.00000000058EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_file.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://aka.ms/yourcaliforniaprivacychoiceschromecache_107.7.drfalse
                                                                                                                                        		high
                                                                                                                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://github.com/nschonnichromecache_107.7.drfalse
                                                                                                                                            		high
                                                                                                                                            https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05chromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                              		high
                                                                                                                                              https://github.com/adegeochromecache_107.7.drfalse
                                                                                                                                                		high
                                                                                                                                                http://crl.microfile.exe, 00000000.00000003.2333942261.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://github.com/jonschlinkert/is-plain-objectchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2195041881.00000000057F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://octokit.github.io/rest.js/#throttlingchromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://github.com/js-cookie/js-cookiechromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://185.215.113.16/off/def.exefile.exe, file.exe, 00000000.00000003.2333942261.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2334181315.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2422824185.0000000000E55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schema.org/Organizationchromecache_107.7.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://channel9.msdn.com/chromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2169628659.000000000580A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169835671.0000000005808000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169708126.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctafile.exe, 00000000.00000003.2207535047.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2207814717.00000000057C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://github.com/dotnet/trychromecache_87.7.dr, chromecache_99.7.drfalse
                                                                                                                                                                        		high

                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public IPs

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        13.107.246.45
                                                                                                                                                                        		s-part-0017.t-0009.t-msedge.netUnited States
                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                        185.215.113.16
                                                                                                                                                                        		unknownPortugal
                                                                                                                                                                        		206894WHOLESALECONNECTIONSNLfalse
                                                                                                                                                                        13.107.246.60
                                                                                                                                                                        		s-part-0032.t-0009.t-msedge.netUnited States
                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                        188.114.97.3
                                                                                                                                                                        		cook-rain.sbsEuropean Union
                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                        239.255.255.250
                                                                                                                                                                        		unknownReserved
                                                                                                                                                                        		unknownunknownfalse
                                                                                                                                                                        172.217.16.132
                                                                                                                                                                        		www.google.comUnited States
                                                                                                                                                                        		15169GOOGLEUSfalse

                                                                                                                                                                        Private

                                                                                                                                                                        IP
                                                                                                                                                                        192.168.2.6

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                        Analysis ID:1558933
                                                                                                                                                                        Start date and time:2024-11-20 00:18:08 +01:00
                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 6m 52s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                        Number of analysed new started processes analysed:11
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Sample name:file.exe
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@24/65@9/7
                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                        Warnings

                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 192.229.221.95, 217.20.57.35, 216.58.206.67, 184.28.89.167, 142.251.173.84, 142.250.186.46, 95.101.150.2, 34.104.35.123, 2.19.126.132, 2.19.126.137, 216.58.212.138, 142.250.186.170, 142.250.186.42, 142.250.185.106, 142.250.184.234, 172.217.18.10, 216.58.206.42, 142.250.185.74, 216.58.206.74, 172.217.16.202, 142.250.186.138, 216.58.212.170, 172.217.23.106, 142.250.186.106, 142.250.184.202, 172.217.16.138, 104.208.16.91, 13.74.129.1, 204.79.197.237, 13.107.21.237, 20.42.73.24, 142.250.184.227, 216.58.206.46
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, onedscolprdeus03.eastus.cloudapp.azure.com, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, onedscolprdcus17.centralus.cloudapp.azure.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, star-azurefd-prod.trafficmanager.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, c-bing-com.dual-a-0034.a-msedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net
                                                                                                                                                                        • Execution Graph export aborted for target file.exe, PID 5128 because there are no executed function
                                                                                                                                                                        • HTTPS sessions have been limited to 150. Please view the PCAPs for the complete data.
                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                        • VT rate limit hit for: file.exe

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        18:19:04API Interceptor9x Sleep call for process: file.exe modified